Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Reddit Says Hackers Accessed Employee Data Following Phishing Attack (techcrunch.com) 17

Reddit has confirmed hackers accessed internal documents and source code following a "highly-targeted" phishing attack. From a report: A post by Reddit CTO Christopher Slowe, or KeyserSosa, explained that the company became aware of the "sophisticated" attack targeting Reddit employees on February 5. He says that an as-yet-unidentified attacker sent "plausible-sounding prompts," which redirected employees to a website masquerading as Reddit's intranet portal in an attempt to steal credentials and two-factor authentication tokens.

Slowe said that "similar phishing attempts" have been reported recently, without naming specific examples, but likened the breach to the recent Riot Games hack, which saw attackers use social engineering tactics to access source code for the company's legacy anti-cheat system. Reddit said that hackers successfully obtained an employee's credentials, allowing them to gain access to internal documents and source code, as well as some internal dashboards and business systems. Slowe said the company learned of the breach after the phished employee self-reported the incident to Reddit's security team. Reddit quickly cut off the infiltrators' access and began an internal investigation.

This discussion has been archived. No new comments can be posted.

Reddit Says Hackers Accessed Employee Data Following Phishing Attack

Comments Filter:
  • by DesScorp ( 410532 ) on Friday February 10, 2023 @09:53AM (#63281763) Journal

    From the article:

    "Regardless, Reddit has recommended that all users set up two-factor authentication on their accounts and use a password manager. “Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site,” Slowe says."

    Except that the two biggest password manager services have both been compromised recently [kiplinger.com].

    You're much better off keeping your self-created, complex passwords on an encrypted thumb drive.

    • by Errol backfiring ( 1280012 ) on Friday February 10, 2023 @10:13AM (#63281829) Journal
      Online password managers are by definition a bad idea. There are enough password managers that work with files that you can put on a USB drive. Some can even store the 2-factor data for you and generate the TOTP codes, but that is not necessarily a sane idea either.
    • Or on a post-it under your keyboard, protected by Walther or S&W

    • Surely there's an irony asking people to setup 2FA when it would seem much more sensible that all their employees use it.
    • by vux984 ( 928602 )

      "You're much better off keeping your self-created, complex passwords on an encrypted thumb drive."

      Why would I be much better off with that?

      I could lose the encrypted thumb drive. It could be stolen. It could fail, or become corrupted. I could have a whole bag of them, but that just increases the odds losing one, or one failing, and adds an additional burden of keeping them in sync.

      It would be super annoying to sign into anything from my phone if all my passwords were on a thumbdrive.

      Your "better off solutio

  • I too have been duped by that dastardly Nigerian prince. I feel ya, Reddit.
  • by Murdoch5 ( 1563847 ) on Friday February 10, 2023 @10:12AM (#63281825) Homepage
    Since everyone was using a high security OS like Qubes, and all communication is verified against PGP, the attack surface was essentially 0, right? Or was the problem really that very few proper security and verification protocols were in place, and it was really just blind stupid trust driving everything?

    Since I can guess with 99.9% accuracy that the problem boils down to security mixed with verification, do you think Reddit will take the steps to secure the tool / process chain? No, no they won't, because companies do not care about security or verification, they only care about throughput and faking competence to fool shareholders, who themselves are rarely qualified beyond where to find the "start" menu.
  • All of the reddit gold
  • I hope they release it publicly.

    I've personally never met a more sociopathic band of aggressive petty tyrants than the mods of reddit and their enablers, the staff of reddit.

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...