Reddit confirmed that hackers accessed their internal documents and source code after a successful, highly targeted phishing campaign.
The company did become aware of this sophisticated attack on the 5th of February. The attacker is not yet known, but the phishing campaign was sent to employees with persuasive prompts that took them after clicking onto a fake Reddit intranet portal in an attempt to steal credentials and 2-FA tokens.
The hackers succeeded. They managed to obtain employees’ details, allowing them to access all Reddit’s internal documents, source code and business systems.
After Reddit’s employees realised they were phished, they immediately reported this incident to Reddit’s security team. They cut off the attackers and started an internal investigation.
Unfortunately, during the investigation, they found that hundreds of current and former employees and some advertisers’ information was accessed. There is no evidence that personal user data and other non-public data have been stolen, published or distributed online on the dark web.
“We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills,” said Reddit’s CTO Christopher Slowe.
All the users are advised to set up MFA and strengthen their accounts even though there is no evidence of stolen personal data. We at Neuways always recommends setting up MFA for any login accounts, business and private.