Reddit confirms it was hacked after employee was victim of phishing attack
The popular internet forum said it had so far seen no evidence that user data had been compromised.
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Popular internet forum website Reddit has confirmed it was the victim of a cyber attack, with hackers using a phishing attack on employees to steal login details and access the platform’s internal systems.
The company said the attack on February 5 had seen hackers gain access to “internal documents, code, as well as some internal dashboards and business systems”.
However, the online forum said that after several days of investigation, it had “no evidence” to suggest that Reddit user passwords or other information had been compromised or distributed online.
In a statement posted to Reddit, the company said a “sophisticated phishing campaign” had been used to target Reddit employees.
We show no indications of breach of our primary production systems - the parts of our stack that run Reddit and store the majority of our data
A phishing attack involves hackers trying to trick victims into handing over personal information by posing as a credible figure or business in an effort to gain personal information.
“As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behaviour of our intranet gateway, in an attempt to steal credentials and second-factor tokens,” Reddit said of the attack.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
Reddit confirmed the attack had seen “limited contact information” of current and former employees and “limited advertiser information” had been exposed in the attack.
The company said the affected employee in the attack self-reported the incident and the firm’s security team cut off the attacker’s access.
Reddit also used the incident to encourage users to boost their own personal security.
“Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account,” the company said.
“The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account.
“And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.”