Reddit confirmed a security breach that exposed its internal systems and data via a sophisticated and highly targeted phishing attack.
Reddit said hackers targeted employees with plausible-sounding prompts and redirected them to a phishing website impersonating its intranet portals. The attack aimed to steal Reddit employee credentials and two-factor authentication tokens to access the company’s internal business systems.
“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees,” Reddit CTO Christopher Slowe posted on the platform. “As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”
Reddit security breach exposed employee and advertiser information
Reddit said it responded by blocking the compromised credentials and initiating an investigation that lasted for several days. The probe determined that attackers successfully compromised one employee and accessed some internal docs, code, and some internal dashboards and business systems.
“They gained access to some internal documents, code, and some internal business systems,” Slowe said.
Additionally, the security breach exposed limited contact information of current and former employees and contacts and advertiser information.
However, the security breach did not expose Reddit user data, including passwords, credit cards, and banking information, or compromise its primary production systems. And no evidence suggested that hackers had accessed any personal or non-public data or distributed the stolen information online.
Nevertheless, Reddit advised users to frequently change their passwords, enable two-factor authentication, and use a password manager.
“Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site,” Slowe explained.
Self-reported employee phishing attack
Reddit said it discovered the security breach after one employee self-reported falling for the sophisticated phishing attack and disclosing his login credentials.
Describing the phishing attack as compelling, Reddit disclosed it had experienced similar incidents in the past. However, the news aggregation website said it was working with its employees and friends to prevent similar phishing attacks in the future.
Reddit also acknowledged that humans were the weakest link in any security chain, and it was closely monitoring the situation. Perhaps Reddit understands that the impact of a data breach becomes more apparent weeks or months after the initial investigation. Either way, Redditors should remain vigilant and follow security best practices to avoid nasty surprises.
Meanwhile, the company believes its last experiences with a similar phishing attack were instrumental in preventing a more severe security breach: “So far, it also appears that many of the lessons we learned five years ago have continued to be useful.”
In 2018, Reddit reported a security breach that leaked users’ email addresses and a 2007 data backup with salted and hashed passwords. The attack allowed hackers to bypass SMS-based multi-factor authentication (MFA), forcing the company’s migration to token-based MFA.
However, the recent phishing attack demonstrated that hackers could bypass any MFA technology by tricking privileged employees.
“We see in this incident that despite apparently having multi-factor authentication, a user was still phished, serving as a timely reminder that no single layer of protection will be completely foolproof,” said Javvad Malik, security awareness advocate at KnowBe4.
Praising Reddit for its quick reaction in removing the threat actor’s access, Malik also stressed the importance of transparency and sound advice to potential victims.
According to Tonia Dudley, CISO at Cofense, security employees should replicate the Reddit employee’s faster reporting to prevent further damage and harden their organizations’ cyber defenses.
“Employees play a vital role in protecting the organization from malicious email phishing attacks,” said Dudley. “By reporting suspicious emails, they can help create a strong line of defense against cyberattacks.”
Unfortunately, many employees are unaware of being the victims of a phishing attack, while others are ashamed or afraid of exposing their mistakes, giving hackers more time to exfiltrate data and move laterally across the network.
According to Malik, organizations should promote a culture of security that “allows employees to confidently report issues without the fear of any negative repercussions.”