Reddit hacked in phishing attack; how to secure your account
A phishing attack takes place when an unsuspecting victim receives an email from a company that looks genuine. It might have a company logo on it and look genuine. But these missives are attacks in disguise designed to get the victim to tap on a link which will start a process that will result in your device getting infected by malware. In the worst-case scenario, the attacker can then take control of your device and get access to your personal accounts including your bank account.
According to a Reddit post written by a Reddit spokesperson, last Sunday the company first became aware of a "sophisticated and highly-targeted phishing attack" that was aimed at certain Reddit employees. The phishing campaign copied Reddit's internal platform and was designed to steal employee credentials. After obtaining the credentials from one employee of the social media firm, the attackers gained access to some "internal documents, code, and some internal business systems."
Information belonging to Reddit subscribers and the platform itself were not compromised
Reddit notes that the attacker did not break into the firm's primary production systems which is where the social media company stores most of its data and the stack that runs Reddit. The attacker did have access to contact information for a limited number of companies and current and former employees. Also exposed was limited advertiser information.
Reddit was the target of a phishing attack
The Reddit post announcing the details of this breach makes it clear that the data belonging to Reddit subscribers was not accessed by the attacker. The company spokesperson wrote, "Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit's information has been published or distributed online."
Reddit first learned about the attack from the employee who responded to the phished message. The company jumped into action by removing the attacker's access to its internal systems and launching an internal investigation. The goal of the investigation is to understand fully what occurred so that it can't happen again in the future.
"Similar phishing attacks have been recently reported," Reddit wrote. "We're continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain."
Reddit gives a couple of suggestions to secure your account
Reddit says that the best way to protect your Reddit account is to set up two-factor authentication (2FA) which adds an extra layer of security to your Reddit account as it requires you to enter a code that is sent to your phone to access Reddit. To do this, you need to go to your Reddit account on your computer and follow these directions:
- Click on your username in the top right of your screen.
- Select User Settings and click on the Privacy & Security tab.
- Under Advanced Security, you’ll see the Use two-factor authentication control. To enable it, click the toggle to on.
- Next, enter your password and click Confirm.
- Follow the step-by-step instructions to set up your authentication and don’t forget to save your backup codes.
- After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit.
Also, Reddit suggests that users employ a password manager because it will warn them before they enter their password on a phishing site because the domains won't match. Thus, you'll know not to type your password on a bogus page created just to steal your login information.
If you're worried about the security of your Reddit account, you might want to follow the aforementioned suggestions.
Things that are NOT allowed: