Reddit has announced that they learned of a breach after the employee self-reported the incident to the company’s security team. After investigating the incident, Reddit says the stolen data includes limited contact information for company contacts and current and former employees.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems,” explains Reddit in their security incident notice. “We show no indication of a breach of our primary production systems (the parts of our stack that run Reddit and store most of our data).”
The data also included details about the company’s advertisers, but credit card information, passwords, and ad performance were not accessed. Reddit also says that there are no indications that the threat actors were able to breach production systems used to run the website.
All organizations should provide phishing awareness and defense training to all of their employees/users. A simple defense technique would be adopting a zero-trust attitude toward outside communication. For email, the zero-trust model means not allowing the delivery of messages unless they originate from a sender who can be authenticated and who has been granted explicit permission to deliver messages to that inbox.