Reddit reveals security incident • The Register

Vibrant net discussion board Reddit has revealed it has suffered a safety breach.

In a publish titled We had a security incident. Here’s what we know Reddit’s founding engineer and CTO “KeyserSosa” – aka Christopher Slowe – defined that late on February fifth “we grew to become conscious of a classy phishing marketing campaign that focused Reddit staff.”

It solely takes one individual to fall for it and earlier than you recognize it, two days have handed and your desk is roofed in empty power drinks

The attacker “despatched out plausible-sounding prompts pointing staff to a web site that cloned the habits of our intranet gateway, in an try to steal credentials and second-factor tokens.”

“After efficiently acquiring a single worker’s credentials, the attacker gained entry to some inner docs, code, in addition to some inner dashboards and enterprise programs,” he added . We present no indications of breach of our major manufacturing programs (the components of our stack that run Reddit and retailer nearly all of our information).

Contact info for “a whole lot” of staff previous and current, advertisers, and different enterprise contacts have been accessed, however Slowe stated Reddit has discovered “no proof to recommend that any of your private information has been accessed, or that Reddit’s info has been revealed or distributed on-line.”

The publish additionally reveals that the worker whose creds have been phished self-reported the incident, whereupon Reddit’s safety workforce eliminated the attackers entry and commenced an inner investigation.

“We’re persevering with to research and monitor the scenario intently and dealing with our staff to fortify our safety abilities,” Slowe wrote. “As everyone knows, the human is commonly the weakest a part of the safety chain.

Within the Ask Me Something (AMA) session Reddit ran after disclosing the incident, Slowe added: “It solely takes one individual to fall for it after which earlier than you recognize it, two days have handed and your desk is roofed in takeout bins and empty power drinks.”

Redditors in that thread are broadly sympathetic to the corporate’s plight, with some sharing their very own tales of falling for phishing.

Slowe’s responses to feedback reveal that the worker who was phished had multifactor authentication enabled, as is obligatory at Reddit, however he declined to element the time elapsed between detection of the incident and when the attackers’ entry to Reddit assets was revoked.

One publish within the AMA requested “Hope nobody was fired over this.”

Slowe responded: “I see it as we now have invested in an worker’s safety schooling. Additionally it was enjoyable to have the ability to mud off ye olde shares”, maybe suggesting a bit inner shaming was one consequence of the incident.

Safety incidents are by no means welcome, particularly for orgs like Reddit which might be reportedly eager to go public.

Nonetheless this incident seems to have restricted affect, making it extra of a SNAFU than a candidate for Reddit’s notorious TIFU^* discussion board. ®

^*TIFU = At the moment I ***ed up.