Reddit, the popular social platform, has confirmed a hack into their internal systems by an attacker who successfully conducted a phishing campaign, whose goal was to trick employees into obtaining access credentials and second factor tokens. The company, although it has revealed that the attack was “sophisticated and highly targeted”, stresses that user data is safe.
The hack occurred on February 5, after an employee, victim of the phishing campaign, entered his login details on a fake website that the attacker created and, according to Reddit, cloned the behavior of the gateway to the platform’s intranet. With the credentials, the hacker was able to access various internal documents. Also to the code, and to business systems. The company, however, claims that there are no indications of a breach in the primary production systems. That is, where some parts of the stack that allows Reddit to work and where most of the data of the social network is stored.
Reddit, yes, ensures that the attacker was able to obtain “limited contact information” from hundreds of contacts and company workers, both current and former, as well as data from some advertisers. However, it details that there is no indication of non-public data exposure. “We have no evidence to suggest that any of your non-public data has been accessed, or that Reddit information has been published or distributed online,” they stand out in a statement.
Reddit confirms that user accounts are safe
Despite the magnitude of the attack, taking into account the ease with which the attacker has accessed part of the platform’s data, Reddit ensures that User accounts or passwords have not been compromised.
“Based on our investigation so far, Reddit users’ passwords and accounts are secure, but on Sunday night (target time), Reddit’s systems were hacked as a result of a sophisticated and highly targeted phishing attack. They got access to some internal documents, code and some internal business systems.”
Reddit, however, recommends enabling the two factor authentication process, in order to have extra security when logging in. Also change the password every two months. Or even use a password manager to generate more complicated passwords and, again, add an additional layer of protection, because if a user tries to enter that password on a fraudulent website, the manager will activate a notice detailing that the address of that site does not match the official
