Reddit’s systems were hacked on Sunday night as a result of a sophisticated and highly targeted phishing attack.
The hackers gained access to some internal documents, code, and internal business systems, but the company believes user passwords and accounts were not breached.
Information stolen includes limited contact information for hundreds of current company contacts and current and former employees, as well as limited advertiser information. The company did not provide details on what "limited" means.
The phishing campaign targeted Reddit employees. The attacker sent out “plausible-sounding prompts” that pointed employees to a website that acted similar to Reddit’s intranet gateway in an attempt to steal credentials and second-factor tokens.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems,” the company wrote in a Reddit post. “We show no indication of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
The company explained that based on several days of initial investigation by security, engineering, and data science, evidence suggests that non-public data was not accessed or that Reddit’s information has been published or distributed online.
The employee initially affected by the hack reported the incident and the security team responded quickly, removing the infiltrator’s access and starting an internal investigation.
Users in the feed posted kudos to the employee who reported the hack. One in particular notes that the exposure included code and wondered whether this is a precursor to a more in-depth hack.
Similar phishing attacks have been recently reported, and the company continues to investigate and monitor the situation closely.
Reddit also took this time to remind users to initiate two-factor authentication.