Unlike many other recent targets, Reddit, a popular social media site, was quick to disclose some company data was stolen in a phishing incident. It said user information was not impacted and remains safe – so far.
“On Sunday night (Pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems,” the company said in a thread posted to the official r/reddit community on Thursday.
According to Reddit, hackers used a phishing lure targeting the firm’s employees with a landing page impersonating its intranet site. This site attempted to steal employees’ credentials and two-factor authentication tokens.
After one worker fell victim to the attack, the threat actor was able to breach internal Reddit systems. The company learned of the compromise when the said employee self-reported the incident to the security team.
Reddit admitted that the grabbed data included a few details about the company’s advertisers. But passwords and credit card information were allegedly not accessed.
“Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online,” the firm said.
On the other hand, the investigation is ongoing, and Reddit starts its disclosure with: “Based on our investigation so far.”
Cybersecurity researchers are now praising Reddit for a quick and timely response to the data breach. It stands in stark contrast to how some other targeted companies have handled hacking incidents recently.
For example, chipmaker Nvidia stayed tight-lipped for several weeks at the beginning of 2022 and didn’t provide any details about a “data extortion event.” The notorious Lapsus$ ransomware gang used this to claim responsibility for the breach and claimed it stole one terabyte of information.
According to the data breach monitoring site Have I Been Pwned, the threat actors stole the credentials of more than 71,000 Nvidia employees, including their email addresses and Windows password hashes.
LastPass, the beleaguered password manager giant, turned out to be the king of mishandling a data breach. The firm confirmed in late December that hackers had stolen its customer’s encrypted password vaults.
But the security community soon attacked LastPass fiercely because it had said previously that the customers should not worry, even though the company knew about the theft for at least a month but did not report it. Naturally, the reputation of LastPass was tarnished.