Reddit discloses security breach: what you need to know
Reddit disclosed a security breach today on the site stating that a malicious actor managed to gain access to internal servers.
The company became aware of a phishing campaign that targeted Reddit employees specifically on February 5, 2023. The campaign used "plausible sounding prompts" to get employees of the site to a phishing website that looked like the company's intranet gateway.
Employees who entered their login credentials on that fake website would provide the attackers with the credentials and also second-factor tokens.
At least one employee of the site feel for the phishing ruse, giving the attacker access to "some internal docs, code, as well as some internal dashboards and business systems". Investigators of the incident found no evidence that the attacker managed to gain access to "primary production systems", which hold the majority of data, including Reddit user data. No evidence has been found up to this point that suggests that the attacker managed to gain access to non-public user data, such as email addresses, saved posts or conversations, or the "Reddit information has been published or distributed".
The employee who fell for the phishing attack reported the incident to the Security team, according to Reddit "soon after being phished". Reddit's security team changed the status of the account, removing access to systems. The attacker could no longer access Reddit systems after the change was made.
The investigation is still ongoing and Reddit did not provide details on the information that the attacker managed to obtain while having access to company servers.
Reddit suggests that users of the site enable two-factor authentication, if they have not done so already. The post links to a support article that explains how Reddit users may enable the extra layer of protection on the site.
It needs to be noted that two-factor authentication did not prevent the phishing attack against the Reddit employee. If specifically targeted, two-factor authentication does not provide 100% protection. The security feature helps, however, when user databases with passwords are copied by attackers, as the attackers would need to obtain two-factor authentication codes from particular users if they manage to break the passwords of the database.
It remains to be seen if Reddit's initial assessment of the security breach holds. The company analyzed the security incident for several days already, but there is always a chance that additional evidence is found at a later stage in the investigation.
Now You: do you use Reddit?
We shouldn’t be surprised by news like this. There isn’t a single website, company, organisation, or other entity that isn’t vulnerable to hacking, (internet) attacks, or other malicious activities. Rather sooner than later, we all have to deal with such issues. Safety, privacy and security should be the pillars on which every (internet) presence and/or interaction is designed, modelled, built and maintained. Unfortunately, there are still too many people/organisations who pay not enough attention to these more than important issues.
By the way, thank you Martin, for your wonderful website and all the effort you put into it.