Social media platform Reddit has moved to reassure its users that their data is secure, after a cyber attack on its systems that saw an unspecified threat actor gain unauthorised access to a limited number of internal documents, code and some internal business systems.
The data breach first came to light on Sunday 5 February, when Reddit’s security team became aware of the “sophisticated” and targeted phishing attack, which saw Reddit employees targeted with seemingly plausible email prompts that directed them to a cloned version of its intranet gateway.
Unfortunately, one Reddit employee was successfully convinced to enter their credentials and used a multi-factor authentication (MFA) token on the cloned gateway, giving the threat actor access to Reddit’s internal systems.
There is, however, no evidence at this stage of any breach of the organisation’s primary production systems, meaning the parts of its IT stack that run the web-facing Reddit website and store the majority of its user data.
“Exposure included limited contact information for – currently hundreds of – company contacts and employees – current and former, as well as limited advertiser information,” Reddit chief technology officer Chris Slowe (aka KeyserSosa) said in a post to the r/reddit subreddit, detailing the incident.
“Based on several days of initial investigation by security, engineering and data science, and friends, we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.
“Soon after being phished, the affected employee self-reported, and the security team responded quickly, removing the infiltrator’s access and commencing an internal investigation. Similar phishing attacks have been recently reported.”
Slowe added: “We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain. Our goal is to fully understand and prevent future incidents of this nature.”
Regardless of the impact on them, he advised Reddit users to set up MFA on their Reddit accounts to add additional layers of security when accessing the service, and use strong and unique passwords that are changed frequently.
Lessons learned
He added that the impact of the breach may have been lessened thanks to lessons learned from a previous incident in 2018, which exposed user email addresses, and salted and hashed passwords from a database dating back to 2007.
The 2018 attack exploited vulnerabilities in SMS-based MFA to bypass security controls that should have stopped the incident from occurring. Reddit later moved away from SMS-based MFA.
Javvad Malik, lead security awareness advocate at KnowBe4, described Reddit’s response to the latest incident as “exemplary”.
“While a breach or incident is never a pleasant occurrence, getting ahead of the fact with transparency and practical advice is always good,” said Malik.
“We see in this incident that despite apparently having MFA, a user was still phished, serving as a timely reminder that no single layer of protection will be completely fool-proof.
“Perhaps the biggest takeaway for organisations from this incident is that the user that was phished realised their error and reported the issue which allowed Reddit’s security team to quickly investigate the issue,” he added. “This is why user training is so important, so that people can not only identify a phishing email, but know how to report it.
“It’s worth remembering though that having a method to report phishing is one thing, but it’s important to have a culture of security which allows employees to confidently report issues without the fear of any negative repercussions.”