Reddit on data breach: ‘As we all know, the human is often the weakest part of the security chain’

Cybersecurity experts have long said that attackers need only to get lucky only once, while organizations have to be lucky every time there’s an attack.

Evidence of that maxim was demonstrated in the explanation by Reddit of its recent data breach.

On Feb. 5, an unknown attacker launched what the discussion site called a  “sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.

“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.”

As a result of the incident, the statement said, Reddit is working to “fortify” employees’ security skills. “As we all know, the human is often the weakest part of the security chain,” the statement added.

To this employee’s credit, however, they reported their mistake, allowing Reddit’s security team to quickly remove the infiltrator’s access.

There is no evidence the site’s primary production systems — the parts of the stack that run Reddit and store the majority of its data — were accessed, the statement said.  Reddit user passwords and accounts are safe, it added.

However, the site admitted the attacker accessed “some internal documents, code, and some internal business systems.”

Exposed data included what the statement called “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”

The statement also urges Reddit users to enable multifactor authentication to protect their login credentials, and to use a password manager.

Johannes Ullrich, dean of research at the SANS Technology Institute, noted in an email that there is a lot of technology to detect website impersonation. “For example, companies like Google have invested a lot of effort to clean up the TLS [transport layer security, which encrypts data] infrastructure to produce reliable certificates identifying the identity of websites a browser connects to, and to prevent machine-in-the-middle attacks,” he wrote. “But at the same time, little progress has been made to find better ways to communicate to users which organization they interact with.

“Instead of relying on users to decide if a website is legit or not, we need to leverage phishing-resistant authentication schemes like FIDO2. These systems leverage existing technology like TLS to prevent the use of authentication secrets across different sites.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs