Social media site Reddit has confirmed that hackers gained access to internal documents and source code in a "highly-targeted" phishing attack on 5 February 2023. In a post by Reddit CTO Christopher Slowe, the company revealed that the attackers sent "plausible-sounding prompts" that directed employees to a website that looked like Reddit's intranet portal, which the hackers used to steal the employees' credentials and two-factor authentication tokens.
Reddit said the attackers successfully gained access to an employee's credentials, allowing them to access internal documents and source code, as well as some internal dashboards and business systems.
The company added that it learned of the breach when the employee self-reported the incident and that it quickly cut off the hackers' access and started an internal investigation. Reddit says that the investigation showed that some contact information for hundreds of current and former employees, as well as advertiser information, was accessed, but it has no evidence that personal user data has been stolen, published or distributed.
Reddit has recommended that all users set up two-factor authentication on their accounts and use a password manager.
Cybersecurity experts at Exabeam, StrongDM, and OpenText shared how this type of threat could've been mitigated and how other organizations can protect themselves from a similar incident.
Sam Humphries, Head of Security Strategy, EMEA, Exabeam
“This latest incident is yet another reminder that all it takes is one employee’s credentials to be stolen to open the door to an organisation’s internal systems. This compromise is often achieved through a simple, tried-and-true method – targeted phishing attacks. By accessing one user’s account after they fell victim to the phishing attempt, the adversaries were able to mine numerous documents and source code – and this company is not alone. Many others have been successfully breached the same way in recent weeks.
“Fortunately, in the case of Reddit, the targeted employee self-reported the incident to their security team, allowing for prompt investigation and response. More often, organisations struggle to detect the usage of compromised credentials. A recent survey found that 65% of security professionals still prioritise prevention over threat detection, investigation, and response - demonstrating that there is a clear disconnect between the frequency with which companies are facing these attacks and the ability to detect them successfully.
“As such, organisations need to place as much (if not more) emphasis on detection as prevention. This will allow them to more efficiently and effectively identify malicious behaviour indicative of a compromised employee account and minimise data theft.”
Justin McCarthy, co-founder and CTO, StrongDM
“The goal of nearly every cyber adversary is simple – access – and whether they gain access through phishing or other means the outcome is never good.
Attackers are relying on highly-sophisticated social engineering tactics to secure valid credentials because they’re essentially VIP passes into databases, and servers — as evidenced by this Reddit incident. Unfortunately, once adversaries get those valid credentials, they oftentimes have unlimited access internally.
Even the most cyber-aware employees can unknowingly fall victim to a phishing attack. Ensuring that access to infrastructure is secured for all users — from admins, developers, analysts and more — is critical to keeping employee, partner and customer data safe. One way to accomplish this, and prevent fallout from a phishing attempt, is completely eliminating credentials from the hands of your staff and moving to just-in-time access or ‘Zero Standing Privilege." Matt Aldridge, Principal Solutions Consultant, OpenText Cybersecurity
“Another day, another cyber-attack caused by a common attack vector: a phishing campaign targeted at employees. Cybercriminals are continuing to have great success with this method of breaching corporate networks – and organisations are now playing catch-up to protect against these threats.
To ensure preparedness, businesses need to ensure they have real-time anti-phishing integrated into any security solutions that they install on employee endpoint devices. Hackers make money from successful phishing attacks and are therefore constantly changing their techniques and tactics to ensure the highest rate of return. Powerful threat intelligence technology that uses machine learning to identify the latest threats can help massively when it comes to protecting against these ever-evolving scams.
It’s also crucial to ensure staff are properly trained to identify threats. There’s no use investing in sophisticated cybersecurity software and services if employees continue to click on dangerous phishing links that slip through the net, in turn granting cybercriminals access to the business network. It’s like turning on a fancy home security alarm, but leaving a window open – you’ll be left playing catch-up after the bad guys get in. Cybersecurity training providers are now working continuously to adjust the content in their courses and simulations to reflect the latest threat landscape – and businesses need to ensure they’re rolling out a comprehensive and consistent education programme as well as the latest anti-phishing technology. Only then will they be able to truly improve employee vigilance and stand the best chance of defending the network.”
###