Dive Brief:
- Reddit said it was targeted by a sophisticated phishing campaign this week that allowed an outside threat actor to gain access to some of its internal systems after stealing an employee’s credentials, the company said in a blog post released Thursday.
- The attackers may have gained access to a limited amount of company source code, some contact information related to company contacts and current and former employees, Reddit said. A limited amount of information about advertisers may have also been breached.
- No high risk data, such as credit card data, company financial information or passwords were accessed. The Reddit Ads platform and other production systems were not impacted and so far no information has been posted online.
Dive Insight:
Reddit learned of the attack on Feb. 5 after an employee reported the phishing attack to the company. The security team quickly notified law enforcement and launched an internal probe.
Reddit said the threat actor sent out plausible-sounding prompts that led company employees to a website that mimicked the behavior of its intranet gateway. The goal of the site was to steal employee credentials and second-factor tokens, according to Reddit.
The attack appears to be similar to other recent phishing attacks under investigation by law enforcement, according to Reddit.
Reddit officials reminded users to set up 2FA to help secure their accounts and also suggested using a password manager.
Rishi Bhargava, a co-founder of Demisto and startup firm Descope, praised the transparency from Reddit officials, but said the attack creates even more incentives for companies to switch to a passwordless standard, like FIDO2 or WebAuthn.
“Specifically moving to a device-based passwordless authentication based on the WebAuthn standard would have stopped this attack,” Bhargava said via email.
WebAuthn standard uses an old, but effective technology called public key cryptography.
Bhargava also noted the attack was similar to a July 2022 attack against Cloudflare, which happened around the same time as a Twilio attack. However, Cloudflare was able to block the attackers from compromising their systems, as employees had FIDO-2 compliant security keys.
Reddit officials said many of the lessons from its 2018 cyberattack still apply here. During that incident, attackers accessed a 2007 database containing salted and hashed passwords by exploiting weaknesses in two-factor authentication via SMS.