Reddit hit by data breach after hackers targeted its employees — what you need to know
Sophisticated phishing campaign was used to steal source code and internal data
The news aggregation and social media site Reddit recently fell victim to a cyberattack that allowed hackers to access its internal systems and steal its source code.
According to a security incident notice posted on the site, the hackers behind the attack carried out a sophisticated phishing campaign to target its employees. By using a cloned version of Reddit’s intranet gateway, they were able to steal employee credentials and second-factor tokens.
With employee credentials in hand, the attackers then proceeded to gain access to some of Reddit’s internal documents, source code and some internal dashboards and business systems. Fortunately, there were no signs that Reddit’s production systems were breached.
Similarities to Riot Games data breach
Following its own internal investigation into the data breach, Reddit revealed that passwords and other user data wasn’t stolen by the attackers.
While details about the attack are scarce at this time, the company did reference a similar attack that was used to breach the game developer Riot Games. According to BleepingComputer, that attack saw hackers breach the company's systems and steal source code for League of Legends and the game Teamfight Tactics, as well as an anti-cheat platform that is no longer in use.
We could potentially find out more from Reddit regarding the breach soon, but for now at least we know that user accounts weren’t affected.
How to protect your Reddit account
Unlike Facebook or Twitter, Reddit is a much more anonymous platform where users feel free to share all of their thoughts as opposed to self-censoring. As such, if a user’s Reddit posts were made public, it could find them in hot water. This is why the company is recommending that users set up two-factor authentication (2FA) for their accounts to add an extra layer of security.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
In a support page, Reddit explains that to do so, you first need to click on your username and then head to User Settings and click on the Privacy & Security tab. Under the Advanced Security section, click on Use two-factor authentication, enter your password and click Confirm. From here, you need to follow the step-by-step instructions to set up 2FA and you need to write down your backup codes to ensure that you can regain access to your account in case you lose access to your two-factor authentication method. Once 2FA is set up for your Reddit account, you’ll need to enter a 6-digit code from your authenticator app every time you login to the site. We also have a detailed explainer in case you run into any problems enabling 2FA for your Reddit account.
Besides 2FA, Reddit also suggests you use one of the best password managers to securely store your credentials for the site. At the same time, you should use a unique and strong password for your account.
Large sites like Reddit are frequently targeted by hackers as they can use the data they steal to carry out other attacks or to try and secure a ransom from the company itself.
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.