The news aggregation and social media site Reddit recently fell victim to a cyberattack that allowed hackers to access its internal systems and steal its source code.
According to a security incident notice (opens in new tab) posted on the site, the hackers behind the attack carried out a sophisticated phishing campaign to target its employees. By using a cloned version of Reddit’s intranet gateway, they were able to steal employee credentials and second-factor tokens.
With employee credentials in hand, the attackers then proceeded to gain access to some of Reddit’s internal documents, source code and some internal dashboards and business systems. Fortunately, there were no signs that Reddit’s production systems were breached.
Similarities to Riot Games data breach
Following its own internal investigation into the data breach, Reddit revealed that passwords and other user data wasn’t stolen by the attackers.
While details about the attack are scarce at this time, the company did reference a similar attack that was used to breach the game developer Riot Games. According to BleepingComputer (opens in new tab), that attack saw hackers breach the company's systems and steal source code for League of Legends and the game Teamfight Tactics, as well as an anti-cheat platform that is no longer in use.
We could potentially find out more from Reddit regarding the breach soon, but for now at least we know that user accounts weren’t affected.
How to protect your Reddit account
Unlike Facebook or Twitter, Reddit is a much more anonymous platform where users feel free to share all of their thoughts as opposed to self-censoring. As such, if a user’s Reddit posts were made public, it could find them in hot water. This is why the company is recommending that users set up two-factor authentication (2FA) for their accounts to add an extra layer of security.
In a support page, Reddit explains that to do so, you first need to click on your username and then head to User Settings and click on the Privacy & Security tab. Under the Advanced Security section, click on Use two-factor authentication, enter your password and click Confirm. From here, you need to follow the step-by-step instructions to set up 2FA and you need to write down your backup codes to ensure that you can regain access to your account in case you lose access to your two-factor authentication method. Once 2FA is set up for your Reddit account, you’ll need to enter a 6-digit code from your authenticator app every time you login to the site. We also have a detailed explainer in case you run into any problems enabling 2FA for your Reddit account.
Besides 2FA, Reddit also suggests you use one of the best password managers to securely store your credentials for the site. At the same time, you should use a unique and strong password for your account.
Large sites like Reddit are frequently targeted by hackers as they can use the data they steal to carry out other attacks or to try and secure a ransom from the company itself.