Cybersecurity experts have long said that attackers need only to get lucky only once, while organizations have to be lucky every time there’s an attack.
Evidence of that maxim was demonstrated in the explanation by Reddit of its recent data breach.
On Feb. 5, an unknown attacker launched what the discussion site called a “sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”
As a result of the incident, the statement said, Reddit is working to “fortify” employees’ security skills. “As we all know, the human is often the weakest part of the security chain,” the statement added.
To this employee’s credit, however, they reported their mistake, allowing Reddit’s security team to quickly remove the infiltrator’s access.
There is no evidence the site’s primary production systems — the parts of the stack that run Reddit and store the majority of its data — were accessed, the statement said. Reddit user passwords and accounts are safe, it added.
However, the site admitted the attacker accessed “some internal documents, code, and some internal business systems.”
Exposed data included what the statement called “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”
The statement also urges Reddit users to enable multifactor authentication to protect their login credentials, and to use a password manager.
Johannes Ullrich, dean of research at the SANS Technology Institute, noted in an email that there is a lot of technology to detect website impersonation. “For example, companies like Google have invested a lot of effort to clean up the TLS [transport layer security, which encrypts data] infrastructure to produce reliable certificates identifying the identity of websites a browser connects to, and to prevent machine-in-the-middle attacks,” he wrote. “But at the same time, little progress has been made to find better ways to communicate to users which organization they interact with.
“Instead of relying on users to decide if a website is legit or not, we need to leverage phishing-resistant authentication schemes like FIDO2. These systems leverage existing technology like TLS to prevent the use of authentication secrets across different sites.”