An attacker was able to gain access to some of Reddit’s internal dashboards, code, and documents after stealing an employee’s credentials in a recent phishing attack, the company said Thursday.
Reddit discovered the intrusion on Feb. 5 after the employee reported the phishing attack, and company officials said that the attacker does not appear to have had access to any non-public user data. Some advertiser data as well as contact information for some current and former Reddit employees also was exposed.
“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens,” Reddit’s notice says.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
The attacker sent the phishing messages to a number of employees and included a link that pointed to a site that was designed to mimic the look and feel of a Reddit internal gateway. The technique is a common one and was used to steal the victim’s credentials and 2FA token.
“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” the Reddit notice says.
Reddit had a somewhat similar incident in 2018 when an attacker intercepted SMS-based 2FA messages and was able to get access to an old database backup that housed credentials and other data from about 2005 to 2007.