On Thursday, Reddit announced it was the victim of “a sophisticated and highly-targeted phishing attack.” The team became aware of the phishing campaign targeting its employees on February 5. Several employees received “plausible-sounding prompts” which sent them to a fake website that looked virtually identical to Reddit’s intranet gateway. After an employee entered their credentials into this fake site, Reddit was hacked by the attacker.
According to Reddit CTO Christopher Slowe, the hacker was able to gain access to their internal documents, code, dashboards, and business systems. There are no signs that they breached the site’s primary production systems, which is what makes Reddit run.
More importantly, an investigation by Reddit’s security, engineering, and data science teams didn’t turn up any evidence that non-public user data was accessed during the breach. Therefore, all of our accounts, private messages, and passwords are likely safe.
Here’s how the team responded: “Soon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator’s access and commencing an internal investigation. Similar phishing attacks have been recently reported. We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain.”
Although no one’s account was hacked, Reddit is still taking the opportunity to remind everyone to enable two-factor authentication (2FA) on their accounts. This adds one extra layer of security that could protect your data if the next breach is more severe. If you want to set up 2FA on your Reddit account, head to this page and follow the instructions.
Appropriately for Reddit, Slowe also hosted an AMA about the hack to answer any questions that users might have. In the AMA, Slowe confirmed that the employee who came forward was not fired, but might have been put in stocks as punishment.