When an organization suffers a cyber attack, two types of judgment soon follow: a regulatory review and a public trial, with online commentators condemning the victim’s security practices and its ineffective response.
But Reddit has flipped the script, being universally praised for its response to a cyber attack that occurred earlier this month.
The social media site (whose users insist isn’t a social media site) posted a detailed breakdown of the incident, calling it a “sophisticated phishing campaign.”
Using “plausible-sounding prompts”, scammers directed employees to a bogus website that cloned the behaviour of Reddit’s intranet’s gateway.
They then attempted to trick victims into handing over their login credentials and two-factor authentication tokens.
At least one employee fell for the attacker’s bait, but thanks to the organization’s swift response, the damage was limited.
What data was compromised?
Reddit confirmed that the scammer used the compromised login credentials to access “some internal documents, code, as well as some internal dashboards and business systems.”
It’s unclear exactly what these files are, but they don’t appear to have major security ramifications. Reddit clarified that its core internal functions, such as its operating systems, code, and networks, remain secure.
Of greater concern is the scammer’s access to a “limited” amount of personal data. This includes information related to current and former employees, advertising customers and “contacts” – which likely refers to contractors and temporary staff.
There is currently no word on what information specifically was compromised. As Paul Ducklin of Naked Security noted in his description of the disclosure, a “limited” breach is open to interpretation.
“The word limited might be a good sign (e.g. name and email address, and no other data), but could just as easily be a bad thing (e.g. “only” two data items: your social security number and a scan of your driving licence),” he wrote.
What is clear is that Reddit users themselves are unaffected. The site said there was “no evidence” to suggest that account information such as passwords had been affected.
Despite that, Reddit used the incident to encourage users to boost their account’s security.
“Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account,” the site said.
“The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account.
“And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.”
How it should be done
Reddit’s handling of this incident is a case study in effective data breach management. The success of its response goes back to the moment the employee realized that they had been phished.
They were able to quickly identify how they had been duped and knew that they were obliged to contact the IT team.
Of course, the ideal scenario would have involved the employee spotting the scam before falling victim, but this is something that organizations cannot rely on. There are hundreds of thousands, if not millions, of phishing emails sent each day, and they are becoming increasingly sophisticated.
IT teams have responded to the threat with an array of technological controls, including automated alerts that tell recipients when an email has come from an external or uncommon source.
But scammers continue to develop ways to bypass these defences, meaning malicious emails will inevitably end up in people’s inboxes. From there, it only takes one mistake for a security breach to occur.
When that happens, it’s essential that employees own up to their mistakes. They are often reluctant do so, because they think it will get them in trouble. But in this case, the employee had no such qualms – indicative of a strong security culture – which enabled Reddit’s security team to remove the infiltrator’s access and begin an internal investigation.
A few days later, Reddit CTO Chris Slowe provided an update on Reddit, where he answered users’ questions about the incident. The majority of respondents praised the organization for its handling of the incident – particularly its willingness to keep users informed about exactly what wrong.
The episode highlights a crucial lesson about information security: what happens after a data breach is as important as what happens before. Your organization must take the time to educate everyone about the threats they face and their obligations when dealing with information security risks.
These lessons are a core component of our Phishing Staff Awareness E-learning Course. This online programme provides essential guidance to embed a culture of security awareness throughout your organization.
We use real-world examples to explain how phishing attacks work, the tactics that scammers use, and the ways you can detect malicious emails.
You and your team will receive the expert guidance you need to detect phishing attacks and respond appropriately, protecting your organization from a costly data breach.
The course content is updated quarterly to include recent examples of successful attacks and the latest trends that criminals use.
