A “sophisticated and highly-targeted phishing attack” on Reddit caught an employee off guard, leading to a hack of the giant discussion platform, the company said in a notice this week.
The attacker had built a “plausible-sounding” phishing lure guiding employees to a clone of Reddit’s intranet – all crafted to trick staff into divulging their access credentials and second-factor tokens.
All it took was one distracted employee to fall for the scam, which gave the attacker access to “some internal docs, code, as well as some internal dashboards and business systems.”
The hacker is thought to have also accessed limited contact information for hundreds of company contacts and employees (current and former), as well as some advertiser information.
Based on the investigation “so far,” the attacker failed to access primary production systems, while Reddit user passwords and accounts are safe, according to the announcement.
“Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” the content aggregator says.
The employee was conscientious enough to report his blunder to security, allowing a quick response that eliminated the infiltrator’s access and triggered an internal investigation.
Reddit says it’s been hit by several such phishing attacks in recent times. This has prompted the company to investigate and monitor the situation closely, as well as re-tutor employees on corporate security best practices.
The company took this opportunity to remind users to enable 2FA (two-factor authentication) if they haven’t done so already, and to consider changing their passwords every couple of months or so, for good measure.
It also recommends that redditors use a password manager to not only ensure that their passwords are strong, but also to combat social engineering schemes.
tags
Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.
View all postsDecember 19, 2024
November 14, 2024