Social network Reddit was hit by a phishing attack earlier this month, but CTO Christopher Slowe says the damage was limited, in part because the employee whose credentials were compromised quickly informed Reddit’s security team.
In a post to Reddit’s r/reddit board, Slowe (who goes by the handle u/KeyserSosa) said the company became aware in the late PST hours of February 5, 2023, of a “sophisticated phishing campaign that targeted Reddit employees.” The campaign itself appears to have been straight from the standard phishing playbook—use of fake prompts to direct Reddit employees to websites designed to resemble intranet gateways to the company’s systems, whereupon the attackers could attempt to yank credentials and authentication tokens.
A “single employee” fell victim to the scheme, according to Slowe. As a result, the attacker was able to access “internal docs, code, as well as some internal dashboards and business systems.” However, Slowe wrote, there was no evidence the attacker accessed “primary production systems” responsible for actually running the site on a day-to-day basis, and which store most of the company’s data.
Several days of investigation had failed to turn up any evidence that non-public information was compromised during the incident, though it’s important to keep in mind breaches are often more expansive than targets initially realize (or at the very least, disclose to users).
Slowe acknowledged in a reply to another Reddit user the employee’s decision to admit the mistake to security probably wasn’t the most pleasant experience, although it did allow prompt termination of the attacker’s access. Many organizations struggle to build the kind of healthy cybersecurity culture where employees feel comfortable admitting they’ve fallen for an attack, in large part because of fear of consequences. Slowe wrote in a follow-up post that the staff member in question had not faced punitive action beyond temporary revocation of credentials during incident response, adding the company is “grateful of the self-reporting!”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Reddit was previously hit by a phishing attack in 2018, after which it implemented token-based two-factor authentication access requirements for certain sensitive systems. In his post, Slowe wrote that the lessons learned as a result of that prior attack—which exposed old Reddit backups, some user account data, and reader digest emails—remain useful.
Phishing remains one of the most prolific attack vectors in cybercrime, increasingly involving tactics like smishing (text-based phishing) or the creation of fake social media profiles. It’s difficult to find studies that don’t show organizations deluged in phishing attempts; network security firm SlashNext released data late last year estimating it had detected over 255 million phishing attacks over six months in 2022, with mobile and personal comms a particular rising target. The rise of AI writing tools such as ChatGPT also bodes poorly for the future, as such technology could allow bulk crafting of more convincing phishing prompts.
Reddit did not respond to IT Brew’s request for comment on this story beyond an automated form email.—TM
Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.