Reddit confirms it was hacked – advises users to set up 2FA
Reddit, the social news and discussion site with 50 million daily users, has confirmed that it has been hacked. In a post about security incidents on the site itself on February 9, Reddit said it only became aware of the successful breach of its systems late on February 5. In what it refers to as a “sophisticated phishing campaign that targeted Reddit employees,” the incident alert. confirmed that the attacker gained access to internal documents and codes, as well as internal dashboards and business systems. However, Reddit also stated that there was no evidence that the systems used to run Reddit itself and store most of the data, the primary production systems in other words, were breached. Furthermore, the ongoing incident investigation has found no evidence that user passwords or accounts were accessed, the report states.
Targeted employee phishing attack behind Reddit breach
As with all such security incidents, information is currently sparse as the breach investigation continues. What we do know, however, is that, like many such security incidents, the attackers used a targeted phishing campaign to gain access.
“As in most phishing campaigns, the attacker sent out plausible-sounding questions that pointed employees to a website that cloned the behavior of our intranet gateway,” the Reddit statement said, “in an attempt to steal credentials and second-factor tokens.” It seems that one employee was convinced, but soon realized what had happened and “self-reported” to the Reddit security teams, who immediately took action.
In the days that followed, Reddit stated that its investigation has concluded that limited contact information for current and former employees, as well as some advertiser information, was exposed. “We have no evidence to suggest that any of your non-public data has been accessed,” Reddit stated, “or that Reddit’s information has been published or distributed online.”
Reddit recommends users set up 2FA to protect accounts
Still, Reddit has recommended that users take the “important and simple” step of setting up two-factor authentication (2FA) on their accounts. Although Reddit also suggests that it’s a good idea to update passwords every two months, in addition to using a password manager, it’s not advice most security experts will currently accept. Change passwords regularly, i.e. do not use a password manager. In fact, I would recommend that you use a password manager to create a random and strong password or passphrase, 1Password makes this process very easy, for example.
However, I would also recommend changing your Reddit account password despite the fact that there is no evidence that these have been compromised in this particular incident. As recent high-profile breaches have taught us, new evidence can emerge weeks or months after the initial attack and investigation, so a better-safe-than-sorry approach never hurts.
I’ve reached out to Reddit for further comment and will update this development story as appropriate.
Updated February 10 at 4:40 a.m. ET
Javvad Malik, lead security awareness advocate at KnowBe4, said: “We see in this incident that despite apparently having multi-factor authentication, a user was still phished, serving as a timely reminder that no single layer of protection will be completely foolproof . Perhaps the biggest benefit to organizations from this incident is that the user who was phished realized their mistake and reported the problem, which allowed Reddit’s security team to quickly investigate the problem. This is why user education is so important, so people can’t just identify a phishing email, but know how to report it.”
Follow me on Twitter or LinkedIn. check out my website or any of my other work here.