Reddit cyber attack: Security upgrade warning for users after ‘sophisticated’ scam targets forum’s staff
Reddit was the victim of a cyber attack that saw hackers steal employee login details and access the platform’s internal systems.
The popular internet forum said the incident took place on 5 February.
In a statement, the company revealed hackers accessed “internal documents, code, as well as some internal dashboards and business systems”.
But there is “no evidence” to suggest that user passwords or other information had been compromised.
Reddit said its staff had fallen victim to a “sophisticated” campaign of phishing, whereby people are tricked into handing over personal information by bad actors posing as credible figures or businesses.
Targeted employees were sent “plausible-sounding prompts” pointing them towards a website that cloned the company’s internal gateway, which staff use to log in, before attempting to steal their credentials.
Reddit confirmed the attack also exposed “limited contact information” of some current and former workers, plus “limited advertiser information”.
Those affected reported the incident and the attacker’s access was cut off, it added.
More tech coverage from Sky News:
Battle of the chatbots
Why Hogwarts Legacy is being boycotted
While users have not been impacted, Reddit has urged people to boost their own account security.
“This is a good time to remind you how to protect your Reddit account,” it said.
Effective measures include setting up two-factor authentication, which adds an extra layer of security, and updating your password every few months.
Phishing attacks ‘becoming increasingly sophisticated’
The kind of attack which befell Reddit staff is becoming more common and complex, an expert has warned.
Phishing aims to take advantage of a victim’s expectation of what they might see online, which is why they are so common during busy shopping periods like Black Friday and Christmas.
An example may be a scam email purporting to be from a recognised retailer, offering a deal if you click on a link.
Darren Guccione, chief executive and co-founder of Keeper Security, said: “The key is to ensure the URL of the destination website matches the authentic website.
“When a password manager is used, it automatically identifies when a site’s URL doesn’t match what’s contained in the user’s vault, which provides a critical extra layer of security.”