Reddit confirms hack – Recommends 2FA to users

Reddit confirms hack - Recommends 2FA to users

Reddit recommends two-factor authentication following hack  

Reddit, the social media website has confirmed that the company has had a “security incident”, with one of their employees being successfully targeted by a phishing campaign. After self reporting the issue, Reddit’s security team jumped in, removing the attacker’s access and starting an investigation into the infiltration. 

Thankfully, Reddit are confident that Reddit user passwords and accounts are safe, stating that the attacker “gained access to some internal docs, code, as well as some internal dashboards and business systems.” Reddit are sure that none of their primary production systems have been affected, and their exposure is limited to the contact information of company contacts, employees, and some advertiser information. As far as reddit are aware, user accounts are safe. 

Below is what Reddit had to say about their security incident. 

    TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.

   What Happened?

On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.

After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).

Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.

   How Did We Respond?

Soon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator’s access and commencing an internal investigation. Similar phishing attacks have been recently reported. We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain.

Our goal is to fully understand and prevent future incidents of this nature, and we will use this post to provide any additional updates as we learn and can share more. So far, it also appears that many of the lessons we learned five years ago have continued to be useful.

Reddit confirms hack - Recommends 2FA to users

Users should probably utilise 2FA

As part of their security disclosure, Reddit recommended that their users enable account protection in the form of two factor authentication (2FA), and that users use a strong and unique password for their reddit accounts. The company also recommended password managers as an additional level of security, and that users who want to take things “a step further” should change their passwords every couple of months. 

    User Account Protection

Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account. The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account. Learn how to enable 2FA in Reddit Help. And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.

Also: use a password manager! Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site… because the domains won’t match!

The good news today is that your Reddit account is probably safe, but this event highlights the need for strong security for your social media accounts and profiles. Whenever possible, internet users should utilise additional layers of security to ensure that their accounts are protected from hackers as much as possible.

You can join the discussion on Reddit getting hacked on the OC3D Forums.