Cyber Incident Victim: Reddit
Date:
Feb 2023
Location:
United States of America
Summary
A sophisticated phishing attack targeted the company, using a fake intranet site to steal an employee's credentials and two-factor authentication tokens, enabling unauthorized access to internal systems. The breach resulted in theft of source code, internal documents, dashboards, and limited contact information for current and former employees and advertisers, though primary production systems storing user data remained uncompromised. No sensitive information—including passwords, financial data, or ad performance metrics—was accessed, and there was no evidence of the stolen data being distributed publicly. The incident was contained after the affected employee self-reported, prompting immediate revocation of attacker access, law enforcement notification, and internal security reviews.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 5, 2023, Reddit experienced a security breach stemming from a sophisticated phishing campaign targeting its employees. The attackers deployed a fraudulent website designed to mimic Reddit’s internal intranet gateway, aiming to harvest employee credentials and two-factor authentication (2FA) tokens. One employee fell victim to this scheme, enabling the threat actor to gain unauthorized access to select internal systems. The compromised systems included internal business dashboards, document repositories, and portions of Reddit’s source code. Reddit confirmed that the breach did not extend to its primary production systems, which host the platform’s core functionality and store the majority of user data. The stolen data encompassed limited contact information for current and former employees, company contacts, and advertisers. Notably, the attackers did not access sensitive categories such as user passwords, credit card details, financial records, or advertising campaign performance metrics. The breach was detected after the targeted employee self-reported the phishing incident to Reddit’s security team, triggering an immediate investigation.
Reddit’s security team swiftly revoked the attacker’s access, initiated containment measures, and notified law enforcement agencies. Internal investigations revealed no evidence that the stolen data had been published or distributed online. The company emphasized that its advertising platforms and user-facing services remained operational throughout the incident, with no disruption to normal operations. Reddit acknowledged the phishing attack’s similarity to recent campaigns, including one targeting Riot Games, which involved source code theft and subsequent ransom demands. While the exact scope of the accessed source code was not detailed, Reddit confirmed it represented a limited subset of internal assets. The incident highlighted procedural weaknesses in employee security practices, prompting Reddit to reinforce internal training and monitoring. No further breaches or secondary incidents were reported following the initial containment, and the company maintained that user accounts and non-public data remained secure throughout the event.