The popular online platform Reddit confirmed on Thursday that it had a security incident earlier this month. Although the attack, described as “sophisticated,” was successful, Reddit says that its users’ personal data is safe and wasn’t accessed by the attackers.
As detailed on the official r/reddit community, Reddit’s systems were hacked by “sophisticated and highly-targeted phishing attack” on February 5, 2023. The attackers sent “plausible-sounding prompts” redirecting employees to a website that cloned the behavior of the company’s intranet. As a result, the attackers were able to steal credentials and two-factor tokens.
With these credentials, the attackers were able to access Reddit’s internal documents, as well as code and business systems. However, the platform claims that personal user data and other non-public data haven’t been accessed, published, or distributed online. The information obtained by the attackers is limited to employee, company, and advertiser contact information.
Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
Reddit says it quickly responded to the attack by removing the infiltrator’s access. According to the company, the attack is still being investigated, and Reddit will take further steps to fortify its internal security.
What changes for Reddit users?
Even though user data is allegedly secure, Reddit asks everyone to secure their account with two-factor authentication. This adds an extra layer of security even if someone has access to your password. The platform also recommends that users change their password every few months. “Also: use a password manager,” Reddit adds.