Reddit on data breach: ‘As we all know, the human is often the weakest part of the security chain’

Share post:

Cybersecurity experts have long said that attackers need only to get lucky only once, while organizations have to be lucky every time there’s an attack.

Evidence of that maxim was demonstrated in the explanation by Reddit of its recent data breach.

On Feb. 5, an unknown attacker launched what the discussion site called a  “sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.

“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”

As a result of the incident, the statement said, Reddit is working to “fortify” employees’ security skills. “As we all know, the human is often the weakest part of the security chain,” the statement added.

To this employee’s credit, however, they reported their mistake, allowing Reddit’s security team to quickly remove the infiltrator’s access.

There is no evidence the site’s primary production systems — the parts of the stack that run Reddit and store the majority of its data — were accessed, the statement said.  Reddit user passwords and accounts are safe, it added.

However, the site admitted the attacker accessed “some internal documents, code, and some internal business systems.”

Exposed data included what the statement called “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”

The statement also urges Reddit users to enable multifactor authentication to protect their login credentials, and to use a password manager.

Johannes Ullrich, dean of research at the SANS Technology Institute, noted in an email that there is a lot of technology to detect website impersonation. “For example, companies like Google have invested a lot of effort to clean up the TLS [transport layer security, which encrypts data] infrastructure to produce reliable certificates identifying the identity of websites a browser connects to, and to prevent machine-in-the-middle attacks,” he wrote. “But at the same time, little progress has been made to find better ways to communicate to users which organization they interact with.

“Instead of relying on users to decide if a website is legit or not, we need to leverage phishing-resistant authentication schemes like FIDO2. These systems leverage existing technology like TLS to prevent the use of authentication secrets across different sites.”

The post Reddit on data breach: ‘As we all know, the human is often the weakest part of the security chain’ first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Cyber Security Today, June 12, 2024 – More Snowflake storage victims found, Microsoft issues new Windows patches,

More Snowflake storage victims found, Microsoft issues new Windows patches, and more. Welcome to Cyber Security Today. It's Wednesday,...

Former OpenAI employee alleges plan for AGI bidding war

In a recent interview, former OpenAI safety researcher Leopold Aschenbrenner made startling claims about his ex-employer's strategy regarding...

Malicious code in millions of installs traced to Microsoft Visual Studio

A group of Israeli researchers found thousands of potentially harmful extensions on the Visual Studio Code (VSCode) Marketplace,...

Cyber Security Today, June 10, 2024 – Microsoft backs down on Recall

Microsoft backs down on Recall. Welcome to Cyber Security Today. It's Monday, June 10th, 2024. I'm Howard Solomon, contributing...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways