Colorful web forum Reddit has revealed it has suffered a security breach.
In a post titled “We had a security incident. Here’s what we know” Reddit’s founding engineer and CTO “KeyserSosa” – aka Christopher Slowe – explained that late on February 5 “we became aware of a sophisticated phishing campaign that targeted Reddit employees.”
It only takes one person to fall for it and before you know it, two days have passed and your desk is covered in empty energy drinks
The attacker “sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems,” he added. “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
Contact information for “hundreds” of employees past and present, advertisers, and other business contacts were accessed, but Slowe said Reddit has found “no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”
The post also reveals that the employee whose creds were phished self-reported the incident, whereupon Reddit’s security team removed the attackers’ access and commenced an internal investigation.
“We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills,” Slowe wrote. “As we all know, the human is often the weakest part of the security chain.”
In the Ask Me Anything (AMA) session Reddit ran after disclosing the incident, Slowe added: “It only takes one person to fall for it and then before you know it, two days have passed and your desk is covered in takeout boxes and empty energy drinks.”
Redditors in that thread are broadly sympathetic to the company’s plight, with some sharing their own tales of falling for phishing.
Slowe’s responses to comments reveal that the employee who was phished had multifactor authentication enabled, as is compulsory at Reddit, but he declined to detail the time elapsed between detection of the incident and when the attackers’ access to Reddit resources was revoked.
One post in the AMA asked “Hope no one was fired over this.”
Slowe responded: “I see it as we have invested in an employee’s security education. Also it was fun to be able to dust off ye olde stocks” – perhaps suggesting a little internal shaming was one consequence of the incident.
Security incidents are never welcome, especially for orgs like Reddit that are reportedly keen to go public.
However this incident appears to have limited impact, making it more of a SNAFU than a candidate for Reddit’s infamous TIFU* forum. ®
*TIFU = Today I f***ed Up.