Reddit Says Hackers Accessed Employee Data Following Phishing Attack (techcrunch.com) 17
Reddit has confirmed hackers accessed internal documents and source code following a "highly-targeted" phishing attack. From a report: A post by Reddit CTO Christopher Slowe, or KeyserSosa, explained that the company became aware of the "sophisticated" attack targeting Reddit employees on February 5. He says that an as-yet-unidentified attacker sent "plausible-sounding prompts," which redirected employees to a website masquerading as Reddit's intranet portal in an attempt to steal credentials and two-factor authentication tokens.
Slowe said that "similar phishing attempts" have been reported recently, without naming specific examples, but likened the breach to the recent Riot Games hack, which saw attackers use social engineering tactics to access source code for the company's legacy anti-cheat system. Reddit said that hackers successfully obtained an employee's credentials, allowing them to gain access to internal documents and source code, as well as some internal dashboards and business systems. Slowe said the company learned of the breach after the phished employee self-reported the incident to Reddit's security team. Reddit quickly cut off the infiltrators' access and began an internal investigation.
Slowe said that "similar phishing attempts" have been reported recently, without naming specific examples, but likened the breach to the recent Riot Games hack, which saw attackers use social engineering tactics to access source code for the company's legacy anti-cheat system. Reddit said that hackers successfully obtained an employee's credentials, allowing them to gain access to internal documents and source code, as well as some internal dashboards and business systems. Slowe said the company learned of the breach after the phished employee self-reported the incident to Reddit's security team. Reddit quickly cut off the infiltrators' access and began an internal investigation.
That's great, except... (Score:3)
From the article:
"Regardless, Reddit has recommended that all users set up two-factor authentication on their accounts and use a password manager. “Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site,” Slowe says."
Except that the two biggest password manager services have both been compromised recently [kiplinger.com].
You're much better off keeping your self-created, complex passwords on an encrypted thumb drive.
Re:That's great, except... (Score:4, Insightful)
Re: (Score:2)
But iPhones can't use USB flash drives. :P
Re: (Score:2)
Or on a post-it under your keyboard, protected by Walther or S&W
Re: (Score:2)
Daewoo DH380.
Re: (Score:1)
You need a bigger pew pew
Re: (Score:2)
Re: (Score:2)
"You're much better off keeping your self-created, complex passwords on an encrypted thumb drive."
Why would I be much better off with that?
I could lose the encrypted thumb drive. It could be stolen. It could fail, or become corrupted. I could have a whole bag of them, but that just increases the odds losing one, or one failing, and adds an additional burden of keeping them in sync.
It would be super annoying to sign into anything from my phone if all my passwords were on a thumbdrive.
Your "better off solutio
Me too (Score:2)
So? (Score:3)
Since I can guess with 99.9% accuracy that the problem boils down to security mixed with verification, do you think Reddit will take the steps to secure the tool / process chain? No, no they won't, because companies do not care about security or verification, they only care about throughput and faking competence to fool shareholders, who themselves are rarely qualified beyond where to find the "start" menu.
I Hop They Didn't Steal (Score:2)
good (Score:1)
I hope they release it publicly.
I've personally never met a more sociopathic band of aggressive petty tyrants than the mods of reddit and their enablers, the staff of reddit.
Ironic (Score:2)