Through a phishing campaign, the attacker was able to obtain one employee’s details and use them to access internal documents.
Reddit was targeted by a “sophisticated and highly targeted” phishing attack earlier this week when hackers gained access to some internal documents, code and internal business systems.
In a post yesterday (9 February), Reddit chief technology officer and founding engineer Christopher Slowe said it first become aware of the hack targeting its employees on 5 February.
The hacker sent out “plausible-sounding prompts” to employees, directing them to a website that cloned the behaviour of Reddit’s intranet gateway to steal credentials and second-factor tokens.
After successfully obtaining an employee’s credentials, the hacker was able to access some of the company’s internal documents, code and some internal dashboards and business systems.
However, Slowe confirmed that there were no indications of a breach of its primary production systems that essentially run Reddit and store most of its data.
He also said that Reddit users had nothing to worry about as the hack did not affect private user data, based on an investigation by the security, engineering and data science teams.
“We have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” Slowe wrote in the post.
“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information.”
The affected employee reported the incident soon after being phished and the security team promptly removed the hacker’s access before commencing an internal investigation.
“We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain,” Slowe said, adding that similar phishing attacks had been reported recently.
“Our goal is to fully understand and prevent future incidents of this nature, and we will use this post to provide any additional updates as we learn and can share more. So far, it also appears that many of the lessons we learned five years ago have continued to be useful.”
For users worried about the future safety of their accounts and data, Slowe suggested setting up two-factor authentication to add “an extra layer of security when you access your Reddit account”.
He also suggested changing one’s password to something strong and unique every couple of months – as well as considering using a password manager.
“Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site…because the domains won’t match,” he said.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.