Reddit on data breach: ‘As we all know, the human is often the weakest part of the security chain’

Cybersecurity experts have long said that attackers need only to get lucky only once, while organizations have to be lucky every time there’s an attack.

Evidence of that maxim was demonstrated in the explanation by Reddit of its recent data breach.

On Feb. 5, an unknown attacker launched what the discussion site called a  “sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.

“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”

As a result of the incident, the statement said, Reddit is working to “fortify” employees’ security skills. “As we all know, the human is often the weakest part of the security chain,” the statement added.

To this employee’s credit, however, they reported their mistake, allowing Reddit’s security team to quickly remove the infiltrator’s access.

There is no evidence the site’s primary production systems — the parts of the stack that run Reddit and store the majority of its data — were accessed, the statement said.  Reddit user passwords and accounts are safe, it added.

However, the site admitted the attacker accessed “some internal documents, code, and some internal business systems.”

Exposed data included what the statement called “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”

The statement also urges Reddit users to enable multifactor authentication to protect their login credentials, and to use a password manager.

Johannes Ullrich, dean of research at the SANS Technology Institute, noted in an email that there is a lot of technology to detect website impersonation. “For example, companies like Google have invested a lot of effort to clean up the TLS [transport layer security, which encrypts data] infrastructure to produce reliable certificates identifying the identity of websites a browser connects to, and to prevent machine-in-the-middle attacks,” he wrote. “But at the same time, little progress has been made to find better ways to communicate to users which organization they interact with.

“Instead of relying on users to decide if a website is legit or not, we need to leverage phishing-resistant authentication schemes like FIDO2. These systems leverage existing technology like TLS to prevent the use of authentication secrets across different sites.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now