Reddit employee phished, code stolen
No user data was compromised
Reddit, 'the front page of the internet', has been hacked after an employee fell for a "plausible-sounding" phishing attack.
In a post on r/reddit, a moderator says the company became aware of a "sophisticated" phishing attack on the 5th February.
The attacker targeted Reddit employees, pointing them to a website that cloned the behaviour of Reddit's intranet gateway, in an attempt to steal credentials and second-factor tokens.
At least one employee was taken in, and the attacker was able to access documents, code and "some internal dashboards and business systems." However, there has been no indication that the company's primary tech stack - the bit that actually runs Reddit and stores its data - was breached.
While user's private data appears to be safe, the same can't be said for people working for Reddit.
"Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information.
"Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit's information has been published or distributed online."
The security team was able to respond quickly (a matter of hours, according to a follow-up comment by the moderator) as the phished employee self-reported the incident. They immediately revoked the attacker's access and have begun an internal investigation.
Computing says:
Self-reporting is what every security team wishes employees would do. Unfortunately, they're often as if not more scared of the ramifications from security and management as they are of the impact of a successful hack.
Company culture plays a big part in this. If people are too scared of punishment to admit a mistake, or fear that doing so will make them look incompetent, your security team will be left in the dark for longer than necessary.
On the other hand, encouraging a culture of transparency will help nip successful attacks in the bud.