Reddit, the social news and discussion site with 50 million daily users, has confirmed that it has been hacked. In a February 9 security incident posting on the site itself, Reddit said it first became aware of the successful breach of its systems late on February 5. In what it refers to as a ” sophisticated phishing campaign that targeted Reddit employees,” the incident alert confirmed that the attacker gained access to internal documents and coder, as well as internal dashboards and business systems. However, Reddit also stated that there was no evidence the systems used to run Reddit itself and store the majority of data, the primary production systems in other words, was breached. Furthermore, the ongoing incident investigation has found no evidence that user passwords or accounts were accessed, the report stated.
Targeted employee phishing attack behind Reddit breach
As with all such security incidents, information is currently sparse as the breach investigation continues. However, what we do know is that, also like many such security incidents, the attackers used a targeted phishing campaign to gain access.
“As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway,” the Reddit statement reads, “in an attempt to steal credentials and second-factor tokens.” It would appear that one employee was convinced, but soon realized what had happened and ‘self-reported’ to the Reddit security teams, which sprang into action immediately.
In the days that followed, Reddit stated that the investigation has concluded that limited contact information for current and former employees, as well as some advertiser information, was exposed. “We have no evidence to suggest that any of your non-public data has been accessed,” Reddit stated, “or that Reddit’s information has been published or distributed online.”
Reddit recommends users set up 2FA to protect accounts
Nonetheless, Reddit has recommended that users take the “important and simple” measure of setting up two-factor authentication (2FA) on their accounts. While Reddit also suggests that updating passwords every couple of months is a good idea, as well as using a password manager, that’s not advice most security professionals would currently condone. Changing passwords regularly, that is, not password manager usage. Indeed, I’d recommend that you use a password manager to create a random and strong password or pass-phrase, 1Password makes this process very easy indeed, for example.
I would, however, also recommend changing your Reddit account password despite there being no evidence that these have been compromised in this particular incident. As recent high-profile breaches have taught us, new evidence can come to light weeks or months after the initial attack and investigation, so a better safe than sorry approach harms nobody.
I have reached out to Reddit for further comment and will update this developing story in due course.
Updated February 10 at 04.40 ET
Javvad Malik, lead security awareness advocate at KnowBe4, said: “We see in this incident that despite apparently having multi-factor authentication, a user was still phished, serving as a timely reminder that no single layer of protection will be completely fool proof. Perhaps the biggest takeaway for organisations from this incident is that the user that was phished realised their error and reported the issue which allowed Reddit’s security team to quickly investigate the issue. This is why user training is so important, so that people can not only identify a phishing email, but know how to report it.”