![]() Ironically, this seems to be advice that Reddit itself didn’t follow, given that the attackers used a plausible look-alike site to steal login credentials, which a password manager would presumably have rejected as unknown. Protect against phishing by using a password manager. This makes it harder to put the right password into the wrong site, because the password manager isn’t deceived by the look-and-feel of a site, but works unemotionally with the exact name of the web page it sees in the address bar. ![]() Reddit itself has made three suggestions, namely: (We’re assuming, if you do work for or advertise with Reddit, that the company will already have contacted you personally if your data was among the “limited” information stolen, which we would consider a better short-term response than telling the whole world first.) To be honest, unless you’re a Reddit staffer or advertiser, it doesn’t look as though there’s much you can or need to do right now. Given its reasonably quick response so far, we’re guessing that Reddit will follow up in due course to say whether it found any further evidence of compromise. The company also stated, in its notification, that it is still investigating this incident (which happened on Sunday ). Signed-up users of the Reddit service, it seems – Redditors, as they as known – can stand down from Blue Alert, with Reddit saying that its investigation so far shows no indication that what it calls “non-public data” (in other words, stuff that you didn’t post for the world to see anyway) was accessed by the cybercriminals.Īnd, as mentioned earlier, the Reddit systems themselves – the operating systems, code and networks that run the Reddit services you interact with, whether as a user or a visitor – don’t seem to have been breached.įrom this, we infer that the crooks are unlikely to have made off with data such as login records, system logs, location information or password hashes. “only” two data items: your social security number and a scan of your driving licence). name and email address, and no other data), but could just as easily be a bad thing (e.g. Reddit hasn’t stated publicly what sort of data fields were included in the stolen information, merely that the breach was “limited”.īut the word limited might be a good sign (e.g. In addition to the mostly-harmless-sounding “docs” and “code” listed above, Reddit has admitted that information about past and present employees and “contacts” (we’re assuming this includes, but is not limited to, contractors and other non-permanent staffers) was stolen, along with information about advertising customers. How far did the crooks get?Īs already stated, some of Reddit’s own internal systems were accessed by the attackers. The single most important factor in an identity-hijacking attack of this sort is not sophistication but, as Reddit rightly pointed out above, plausibility, making it easy even for well-informed and cautious individuals to “coast through” based on habit and experience. Someone, perhaps in a hurry, arrived at what they thought was the frontier, handed over their passport to a fellow-traveller instead of to an official border agent, and then found themselves trapped in nowhere-land without any ID while the imposter sailed through the border crossing in their name. In other words, this attack almost certainly succeeded not because it was sophisticated, but because it wasn’t. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data). After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We’re not sure quite how suitable the adjective “sophisticated” is here, not least because Reddit quickly goes on to state that: As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens. ![]() They gained access to some internal documents, code, and some internal business systems. ![]() In Reddit’s own words: Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. ![]() In recent weeks, LastPass and GitHub have confessed to similar experiences, with cybercriminals apparently breaking and entering in much the same way: by figuring out a live access code or password for an individual staff member, and sneaking in under cover of that individual’s corporate identity. Popular social media site Reddit – “orange Usenet with ads”, as we’ve somewhat ungraciously heard it described – is the latest well-known web property to suffer a data breach in which its own source code was stolen. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |