Reddit has confirmed hackers accessed internal paperwork and supply code following a “highly-targeted” phishing attack.
A post by Reddit CTO Christopher Slowe, or KeyserSosa, defined that the corporate grew to become conscious of the “refined” attack focusing on Reddit workers on February 5. He says that an as-yet-unidentified attacker despatched “plausible-sounding prompts” that redirected workers to an internet site masquerading as Reddit’s intranet portal in an try to steal credentials and two-factor authentication tokens.
Slowe mentioned that “comparable phishing makes an attempt” have been reported lately, with out naming particular examples. Nevertheless, he likened the breach to the latest Riot Video games hack, which noticed attackers use social engineering ways to entry supply code for the corporate’s legacy anticheat system.
Reddit mentioned that hackers efficiently obtained a single employee’s credentials, enabling them to realize entry to gained entry internal paperwork and supply code in addition to some internal dashboards and enterprise methods.
Slowe mentioned the corporate discovered of the breach after the phished employee self-reported the incident to Reddit’s safety group, enabling it shortly reduce off the infiltrators’ entry and start an internal investigation.
Reddit, which has greater than 50 million every day makes use of, mentioned its investigation has concluded that restricted contact info for “lots of” of present and former workers, in addition to some advertiser info, was additionally accessed. Nevertheless, the corporate says it has “no proof” to counsel that non-public person data and different personal data has been stolen, printed, or distributed on-line.
Regardless, Reddit has really useful that each one customers arrange 2FA on their accounts and use a password supervisor. “In addition to offering nice difficult passwords, they supply an additional layer of safety by warning you earlier than you employ your password on a phishing web site,” Slowe says.
“We’re persevering with to research and monitor the scenario carefully and dealing with our workers to fortify our safety expertise,” he added. “As everyone knows, people are sometimes the weakest a part of the safety chain.”
Reddit suffered a extra critical data breach in 2018 that noticed attackers entry a full copy of Reddit data from 2007, comprising the primary two years of the positioning’s operations. This consists of usernames, hashed passwords, emails, public posts and personal messages.
