Reddit suffered a cyber-attack after its internal systems were breached on February 05 due to a “sophisticated” and “highly-targeted” phishing attack that led to employee credential compromise.
“The attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens,” the company wrote on Thursday.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
However, Reddit said there was “no indication” of a breach of the company’s primary production systems, where most of its data is stored.
“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information,” reads the disclosure.
“Based on several days of the initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed or that Reddit’s information has been published or distributed online.”
According to CyberSmart CEO Jamie Akhtar, the breach is a perfect example of the maxim ‘your staff are your most valuable security asset.’
“Despite Reddit having excellent technical security controls in place, cyber-criminals were able to breach its defenses simply by targeting its staff,” Akhtar told Infosecurity in an email.
“Training can help your people better recognize and understand the threats they face. And, more importantly, learn how to avoid them in the first place.”
Erfan Shadabi, a cybersecurity expert with data security specialists comforte AG, echoed Akhtar’s point, adding that a culture of data security and privacy must be sponsored from the top down.
“[This], along with a corporate culture that encourages employees to analyze requests for sensitive data no matter how much time it takes, can turn the tide on this ever-present trend of phishing attacks.”
The Reddit breach comes months after security company Cerby published a report suggesting that the security shortcomings of Reddit and other social media could lead to disinformation.