Reddit breached: Internal docs, dashboards, systems accessed

Popular social news website and forum Reddit has been breached (again) and the attacker “gained access to some internal docs, code, as well as some internal dashboards and business systems,” but apparently not to primary production systems and user data.

How did it happen and what’s the extent of the breach?

“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” said Reddit CTO Christopher Slowe, who goes online by the handle “KeyserSosa”.

The investigation is still ongoing and some details are yet to be confirmed, but the breach started as most corporate breaches do these days: with a successful phishing attack.

“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens,” Slowe shared.

“Soon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”

All employees have two-factor authentication enabled, both for use on Reddit as well for all internal access, he added, but the attacker managed to nab the employee’s login credentials and other access token.

Five years ago, Reddit was breached in a similar way. At the time, a few of their employees’ accounts with their cloud and source code hosting providers were compromised, after the attackers compromised employees’ passwords and intercepted the second authentication factor delivered via SMS.

So maybe this latest attack will push Reddit to implement hardware FIDO tokens (physical “keys”), which is currently the most secure option for the second authentication factor.

Slowe mentioned that he was grateful the employee reported that they had been phished when they realized it happened.

What should users do?

User data has not been accessed, but users have nevertheless been advised to enable 2FA on their Reddit account (if they haven’t already). Enabling 2FA may prevent them from being affected by attacks involving realistic phishing sites.

“And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection,” Stowe added.

Affected company contacts, employees and advertisers are being contacted.