Meet us at RSA 2024

Polymer

Download free DLP for AI whitepaper

Lessons from Reddit data breach of internal documents & source code

Feb 13, 2023
Breach Insider Threat Training Zero Trust
Reddit breach

Summary

  • Reddit was breached after an unknown attacker sent out “plausible-sounding prompts” directing employees to a fraudulent website that mimicked the company’s intranet portal.
  • One employee fell for the scam, enabling the threat actors to access Reddit’s systems and steal internal documents.
  • No customer information has been compromised, but change your passwords and implement 2FA if you haven’t already.

News just in! Reddit, the hugely popular social news website and forum, has suffered a data breach.

How did it happen? What did hackers steal? Should you be worried? We’ll answer all that and more below. 

Let’s dive in. 

How did the Reddit breach happen?

As with many breaches these days, the Reddit incident has its routes in a highly-targeted phishing scam. 

According to the breach notification post from Reddit’s CTO, an unknown attacker sent out “plausible-sounding prompts” directing Reddit employees to a fraudulent website that mimicked the company’s intranet portal in a bid to harvest credentials and multi-factor authentication tokens. 

One employee, unfortunately, fell for the trick, entering their details into the phony site. The hackers then used this info to successfully breach Reddit’s internal systems, where they accessed “some internal docs, code, as well as some internal dashboards and business systems.”

Thankfully, it appears the attacker didn’t manage to infiltrate primary production infrastructure, where most of Reddit’s sensitive information resides. However, the post noted that the attacker did get away with some sensitive data relating to employees, advertisers and partners. 

While it’s great that customer information wasn’t compromised, the fact that the threat actors got away with employee information is undeniably worrying. They could potentially use this information to craft even more sophisticated, convincing phishing scams in the future. 

We’re also curious about exactly what source code was accessed in the attack. If it related to critical applications, for example, there’s an increased likelihood that the hackers responsible could then exploit vulnerabilities in Reddit’s platform at a later date, triggering a severe cyber-attack. 

How did Reddit find out about the breach?

In a rather encouraging twist of events, the employee who was phished actually came forward about the incident to the Reddit security team on 5th February. Once alerted, the security team quickly siphoned off the attacker’s access and commenced an internal investigation.

Reddit then released its post on the incident on the 9th February, stating it was continuing its investigation and attempting to fortify its approach to employee training. 

I’m a Reddit user, what should I do? 

Luckily, it doesn’t look like – at this point – any user information was exposed in the data breach. However, it’s still a wise idea to review your Reddit account security, just in case.

As the recent LastPass breach demonstrates, the full extent of security incidents don’t tend to come to light until months after the breach. So, rather than trust Reddit’s early investigative findings implicitly, we recommend taking matters into your own hands by: 

Lessons from the Reddit data breach 

As Reddit’s CTO said, this breach reinforces that “the human is often the weakest part of the security chain.”

What’s encouraging about this incident, though, is that the employee who was duped reported the scam to the security team. They realized – albeit too late – that they had fallen for a social engineering scam and took the necessary steps to alert their organization. Had they not realized, the damage done could’ve been far greater, as the attacker would’ve had access to Reddit’s systems for much longer.

Of course, a better outcome would be if the employee never fell for the scam in the first place. As always, employee training and education is the best way to reduce the likelihood of such incidents occurring.

As we’ve spoken about in great detail, security education needs a rethink. Too often, organizations host one-off eLearning sessions or annual away days to tick off their security training objectives. 

These sessions rarely have the desired impact. A one-day session is unlikely to have a long-term effect. In fact, research shows knowledge retention rates drop by more than 50% when training is more than two minutes.

Instead, organizations should deploy training via workflow nudges and prompts, which use positive, real-time reminders to influence people towards better security decisions – and we’ve got the tool to help you do it. 

Polymer data loss prevention (DLP) is a cloud security tool that protects your data, while nudging your users towards better security decisions. 

Working in apps like Slack, Teams, Google Drive and more, our tool delivers helpful security nudges, based on psychology and heuristics, to guide employees towards a security-aware mindset. Rather than blocking your employees or working against them, Polymer DLP empowers them with the information they need to make the best decision, every time. 

Ready to improve security training in your organization? Request a free demo today.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.