Reddit, a popular discussion website, has been victimized by malicious campaigns and suffered security breach.
Hackers targeted Reddit with a sophisticated, highly targeted phishing attack. They accessed a few internal documents, codes, and business systems.
On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, and internal dashboards and business systems. We show no indication of a breach of our primary production systems (the parts of our stack that run Reddit and store most of our data).
Cyber Investigation Ongoing
The company officials said soon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator’s access and commencing an internal investigation. Similar phishing attacks have been recently reported. We’re continuing to closely investigate and monitor the situation and working with our employees to fortify our security skills.
How to protect your Reddit account?
The most important (and simple) measure you can take is to set up 2FA (two-factor authentication), which adds an extra layer of security when you access your Reddit account.
In 2018, Reddit Systems Got Hacked Through Insecure SMS 2FA SetUp