Reddit breached.

Reddit has disclosed that it sustained a data breach on February 5th after an employee fell for a phishing attack, BleepingComputer reports.

Phishing attack leads to data breach.

Reddit said in a statement that an attacker set up a website that impersonated the company’s intranet gateway and was designed to steal credentials and two-factor authentication tokens. After an employee fell for the ruse, the attacker “gained access to some internal docs, code, as well as some internal dashboards and business systems.” The company added, “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).” Reddit also hasn’t found any signs that the attacker accessed user data.

Industry comment on the Reddit incident.

A number of industry experts weighed in on lessons to be learned from the Reddit breach. Tonia Dudley, CISO at Cofense, offered the following observations:

"Reddit’s recent cyberattack allowed hackers to enter internal business systems and steal source code and internal data due to a phishing campaign that targeted Reddit employees. Business email compromise (BEC) amounts to an estimated $500 billion-plus annually lost to fraud. Credential phishing pages are inexpensive to host and attackers can easily change the infrastructure of these malicious webpages. Credential phishing attacks leave few indicators of compromise (IOCs), making breach investigations difficult.

"Employees play a vital role in protecting the organization from malicious email phishing attacks. By reporting suspicious emails, they can help create a strong line of defense against cyberattacks. In this case, the employee who was phished reported it immediately once they realized what happened, which allowed Reddit’s security team to respond quickly and remove the infiltrator’s access. This quick response is precisely what security teams should replicate to mitigate further damages and prevent future phishing attacks. 

"To prevent future phishing attacks, organizations should implement stronger employee training to recognize phishing emails, offer a simple reporting method and provide the necessary tools to quickly remove these threats. Everyone in the organization needs to understand the importance of email security. Regularly send out reminders and best practices to make sure your team can be more aware and safe."

Added, 8:30 PM ET, February 10th, 2023.

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, observed that social engineering is ubiquitous. “On any given day, a regular person in a normal enterprise or organization has a very strong chance of receiving some sort of phishing email. And this, even with strong email filters and other IT tools to prevent these sorts of tactics. Preying on workers’ desire for quick turnaround coupled with their natural desire to help out anybody higher within the corporate hierarchy, threat actors can take a silly email about the CEO losing a credit card or needing account credentials and turn that into virtual gold. Effective and ongoing training (as part of that culture of data security and data privacy) sponsored from the top down, along with a corporate culture that encourages employees to analyze requests for sensitive data no matter how much time it takes, can turn the tide on this ever-present trend of phishing attacks.”

Paul Bischoff, privacy advocate at Comparitech, draws the lesson that two-factor authentication is insufficient, and must be supplemented by employee training. “Two-factor authentication has long been one of the best ways to prevent compromised passwords from being abused by attackers. This attack shows how, even with 2FA enforced, users can be phished and their accounts hacked. The incident underscores the need to train all staff who use internet-connected devices to spot and handle phishing messages.”

Chris Hauk, consumer privacy champion at Pixel Privacy, also sees the incident as bringing out the importance of training. “This incident underscores the need for educating employees and executives on the dangers of phishing attacks. That said, as the bad actors of the world become more skilled at phishing attacks like this it becomes tougher and tougher to recognize them. Since this attack gleaned company contact info, Reddit employees will need to stay alert for future attacks that use the information gleaned in this one.”

Jamie Boote, Associate Software Security Consultant at Synopsys Software Integrity Group, notes that the problem is a perennial one: human error:

“The real problem is the same as it has ever been in incidents like this: People. This was a phishing attack meant to fool a person into letting the attacker in and it worked. Because a person was compromised, their credentials were used to gather information that could be used to further exploit other people in Reddit employment. This information included employee contact information and some advertising data which could be used to launch additional phishing attacks against Reddit and its advertising partners.

"The good news is that the breach appeared to be limited to office systems and didn’t breach the production systems that host the website itself, user data, or other information that could be used to compromise reddit users. This is likely because they limited access to the production data from non-IT employees in an attempt to compartmentalize operations that would limit the impact of a breach.

"In today’s networking environments, software and hardware is no longer the least secure component of the system – people are. When designing IT systems, applications, and devices, it should be assumed that a user will fall for a phishing scam, download the wrong application, or otherwise fail to act in a perfectly secure way. By taking this into account, defense in depth can limit the impact of a breach. For example, if the user’s credentials are compromised, then identity and access management IAM controls can limit what data those credentials will unlock. If a user’s computer is compromised, network segmentation and intrusion detection systems can limit how far that system can be used to further compromise the network. If a user doesn’t need access to important data, remove that access. If one assumes that people will eventually be fooled, they’ll never be disappointed.”

Boris Cipot, Senior Security Engineer, also at Synopsys Software Integrity Group, cautions that any organization is susceptible to social engineering:

“If you think this cannot happen to you, think again. Phishing attempts are happening every day. Scamming people into giving up their private data is happening in different forms. We have seen the most used one as emails, we have seen messaging scams in form from SMS and WhatsApp messages and even now Instagram and Facebook postings. Every popular form of communication is abused. The keyword is popular as this is also where the scam can reach the most targets. There are also targeted attacks as one could imagine to be the case at Reddit. Targeting phishing emails were not just a theme in popular Hollywood blockbusters but are also a real-life thing happening every day to private and business users. 

"The best way to avoid scams like this is to be careful about what you receive. Do not open attachments. IF you doubt the source do not take the requested action in the message. Do not click on the link Track your package. Rather open the browser, enter the parcel company, or bank URL manually rather than clicking on a link that takes you there. Also think about this – a bank or any serious company will never ask you about your private information of any kind in an email. If you are in doubt, pick up the phone, call them, and ask if this is really them sending the message. By the way – do not use the contact data in the email for this as it can also be a false one. 

"For companies, the advice is to rethink their security posture on the communication side. Are you checking emails and the links and attachments in those? Are you educating your employees on the treats? This is really needed to make sure the protection against phishing and other scamming techniques are provided. Do not forget social engineering also as it often is a part of the main attack vector.

"As for 2FA, many say that SMS is not meant to be used for security. This is true and many services depend already on authenticator apps from Google or Microsoft or even have their own to provide the necessary additional security. However, if there is nothing, SMS is better than a pure Username and Password combination.”

Sam Humphries, Head of Security Strategy, EMEA, Exabeam, pointed out the way in which credential theft can expose an organization to an attacker:

“This latest incident is yet another reminder that all it takes is one employee’s credentials to be stolen to open the door to an organisation’s internal systems. This compromise is often achieved through a simple, tried-and-true method – targeted phishing attacks. By accessing one user’s account after they fell victim to the phishing attempt, the adversaries were able to mine numerous documents and source code – and this company is not alone. Many others have been successfully breached the same way in recent weeks. 

“Fortunately, in the case of Reddit, the targeted employee self-reported the incident to their security team, allowing for prompt investigation and response. More often, organisations struggle to detect the usage of compromised credentials. A recent survey found that 65% of security professionals still prioritise prevention over threat detection, investigation, and response - demonstrating that there is a clear disconnect between the frequency with which companies are facing these attacks and the ability to detect them successfully.

“As such, organisations need to place as much (if not more) emphasis on detection as prevention. This will allow them to more efficiently and effectively identify malicious behaviour indicative of a compromised employee account and minimise data theft.”

Justin McCarthy, co-founder and CTO, StrongDM, points out that the goal is typically access:

“The goal of nearly every cyber adversary is simple – access – and whether they gain access through phishing or other means the outcome is never good.  

"Attackers are relying on highly-sophisticated social engineering tactics to secure valid credentials because they’re essentially VIP passes into databases, and servers — as evidenced by this Reddit incident. Unfortunately, once adversaries get those valid credentials, they oftentimes have unlimited access internally. 

"Even the most cyber-aware employees can unknowingly fall victim to a phishing attack. Ensuring that access to infrastructure is secured for all users — from admins, developers, analysts and more — is critical to keeping employee, partner and customer data safe. One way to accomplish this, and prevent fallout from a phishing attempt, is completely eliminating credentials from the hands of your staff and moving to just-in-time access or ‘Zero Standing Privilege.’”

Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity, points out that phishing continues because it's successful:

"Cybercriminals are continuing to have great success with this method of breaching corporate networks – and organisations are now playing catch-up to protect against these threats.

"To ensure preparedness, businesses need to ensure they have real-time anti-phishing integrated into any security solutions that they install on employee endpoint devices. Hackers make money from successful phishing attacks and are therefore constantly changing their techniques and tactics to ensure the highest rate of return. Powerful threat intelligence technology that uses machine learning to identify the latest threats can help massively when it comes to protecting against these ever-evolving scams.

"It’s also crucial to ensure staff are properly trained to identify threats. There’s no use investing in sophisticated cybersecurity software and services if employees continue to click on dangerous phishing links that slip through the net, in turn granting cybercriminals access to the business network. It’s like turning on a fancy home security alarm, but leaving a window open – you’ll be left playing catch-up after the bad guys get in. Cybersecurity training providers are now working continuously to adjust the content in their courses and simulations to reflect the latest threat landscape – and businesses need to ensure they’re rolling out a comprehensive and consistent education programme as well as the latest anti-phishing technology. Only then will they be able to truly improve employee vigilance and stand the best chance of defending the network.”

Jasson Casey, CTO at Beyond Identity, disagrees with the characterization of the attack as "sophisticated." It was successful, and well-executed, but it was in other respects an ordinary kind of attack: 

“Reddit is describing this incident as a “sophisticated” and “highly-targeted” attack. While it was most certainly a targeted attack, these attacker-in-the middle (AiTM) tactics are not sophisticated at all. There are multiple open source kits that make launching this type of attack a paint by numbers exercise. We’re seeing an alarming number of successful MFA bypass attacks over the last few years. Social media makes creating a plausible phishing lure simple and AiTM kits that set up a reverse-proxy are freely available to adversaries. So, bad actors are all but walking through organizations’ front doors.

"Indeed, while in theory MFA should protect against this by requiring multiple different factors for authentication, in practice, it isn’t so simple. Often, these other factors are just as vulnerable to phishing as just using passwords to authenticate. This is why the U.S. Government is warning about these attacks and forcing its agencies to implement 'phishing-resistant' MFA.

"Security teams need to be having conversations about the distinction between good and bad MFA. If you want to eliminate the risk of a breach, you need these foundational systems in place. Passwords and weak MFA act as a doorstop rather than a padlock. Organizations need to focus on passwordless authentication and phishing-resistant MFA if they are to finally shut the front door and block a whole class of attack pathways. This should be the wake up call that organizations need.”