Reddit, the internet's predominant social news and discussion site, announced its systems were hacked as the result of a targeted phishing attack.
In a 10 February post on its platform, the forums giant revealed to its 50 million daily users it had become aware of a "sophisticated phishing campaign" which targeted Reddit employees.
Phishing is a prevalent type of cyber attack where an attacker tries to trick a target victim into providing sensitive information such as a username or password, typically by sending out crafted, deceptive emails or texts.
In the case of Reddit, the attacker attempted to "steal credentials and second-factor tokens", by sending out "plausible-sounding prompts" which misled employees to a fraudulent website that mimicked the behaviour of Reddit's intranet gateway.
Reddit reported just one of its employees was successfully phished during the attack, but this was enough for the attacker to gain access to a number of Reddit's resources and systems.
"After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems," the Reddit statement reads.
"Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information."
The post suggested the breach, aside from the above damages, had not reached Reddit's primary production systems which are used to run the platform and store the bulk of its data.
Furthermore, several days of investigation conducted by "security, engineering, and data science (and friends!)" produced no evidence to suggest any non-public user data had been accessed during the hack.
Human error remains a top cyber security challenge
In its statement, Reddit said similar phishing attacks had recently been reported.
While continuing to investigate and monitor the situation closely, the social news site said it was also working with its employees to bolster the organisation's security skills.
"As we all know, the human is often the weakest part of the security chain," read the statement.
"Our goal is to fully understand and prevent future incidents of this nature… so far, it also appears that many of the lessons we learned five years ago have continued to be useful."
This is far from the first time Reddit has experienced a significant security incident – as recently as 2018 the company reported another incident when a hacker broke into its systems and accessed user data such as email addresses and hashed passwords.
"The real problem is the same as it has ever been in incidents like this: people," said Jamie Boote, Associate Principal Consultant at Synopsys Software Integrity Group.
"This was a phishing attack meant to fool a person into letting the attacker in and it worked. Because a person was compromised, their credentials were used to gather information that could be used to further exploit other people in Reddit employment," he said.
Reddit said the affected employee in the incident "self-reported" soon after they were phished, to which Reddit's security team quickly responded by removing the infiltrator's access and commencing an internal investigation.
"Good on them for coming forward. I can't imagine that's a fun message/email/call to have," said Reddit user Moggehh.
Conventional advice on phishing attacks is to report them to your IT team, even if you feel embarrassed for having fallen for one – Reddit's affected employee, for example, may have saved the company from significantly worse damages by the simple act of fessing up to their mistake.
"As you see, the problem is real. Many people get scammed, and this is not shameful," said Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group.
"For companies, the advice is to rethink their security posture on the communication side. Are you checking emails, the links and attachments in those? Are you educating your employees on the tricks?"
Following the attack, Reddit is now encouraging users to set up two-factor authentication on their accounts, use a password manager and update their password every couple of months.
