Last updated on April 25th, 2023 at 05:28 pm
Online discussion forum Reddit reported on Thursday that its systems had been breached following a sophisticated phishing attack.
In the breach notification, Reddit CTO Christopher Slowe, aka KeyserSosa, explained that the hacker “sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of [Reddit’s] intranet gateway, in an attempt to steal credentials and second-factor tokens.”
One Reddit employee fell for the scam, despite having two-factor authentication (2FA) enabled. This was enough to give the hacker “access to some internal docs, code, as well as some internal dashboards and business systems,” Slowe said. Contact details for employees and contractors, as well as certain information about advertisers, were also affected.
Fortunately, the employee who fell for the phishing email realized their mistake soon after the attack and reported what happened to Reddit’s security team, allowing them to oust the hacker from their network quickly.
According to Slowe, user data, like passwords, appears to be unaffected by the breach: “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).” However, he reminded Redditors that they can better protect their accounts by turning on 2FA and using a password manager.
Unfortunately, as some users noted, Reddit does not currently support security keys as a 2FA method, even though they offer the strongest protection against phishing attacks. Perhaps going forward, Reddit will make this option available for its users and mandatory for its employees. Doing so will better protect users, and Reddit itself, from inevitable future attacks.
