Typically, when Reddit makes the headlines, it’s because someone around the world has used the social news aggregator to post something interesting, informative, funny, wonderful, or just plain weird. However, a few days ago Reddit went from facilitating the story to BEING the story — and not in a good way.
About the Attack
Reddit announced that on February 5, 2023, it was hit with a spear-phishing attack. A hacker sent out credible-looking prompts directing employees to a website that cloned the behavior of the company’s intranet gateway.
After successfully obtaining an employee’s credentials, the hacker gained access to some internal code, docs, dashboards, and business systems. A subsequent investigation revealed that exposed data included some contact information of Reddit contacts and advertisers, as well as current and former employees’ data.
The company has stated that Reddit-user passwords and accounts were not compromised. Nevertheless, they have urged users to reset their password and, if they are not doing so already, use a password manager (more on this later).
What Makes this Different?
Spear-phishing (and other) attacks are so common these days, that if we started creating blog posts for each of them, we would never stop writing. Globally, over 30,000 websites are hacked daily.
So what makes this latest Reddit hack notable? It is not because we have our very own subreddit (r/Devolutions). It is because something — or make that, someone — made this incident different and noteworthy.
The hack was brought to Reddit’s attention not by a solution in the company’s cybersecurity toolkit, but by the same employee who was fooled by the spear-phishing attack. This employee’s quick decision played a pivotal role in containing the campaign and mitigating the damage.
The takeaway here is that providing comprehensive cybersecurity training should be viewed as essential rather than optional. In a comment to Hackread.com, Sam Humphries of the cybersecurity firm Exabeam said: “This latest [Reddit] incident is yet another reminder that all it takes is one employee’s credentials to be stolen to open the door to an organization’s internal systems. Fortunately, in the case of Reddit, the targeted employee self-reported the incident to their security team, allowing for prompt investigation and response.”
What About Password Managers?
As noted earlier, Reddit is also advising its users to use a password manager. This is good and basic advice. But there is much more to the story.
Our Sales Ops Manager Gabriel recently published an article highlighting that most companies also need privilege session management (PSM) and/or privileged access management (PAM). This is because standalone password managers are essentially business continuity tools — and NOT security solutions — because they lack functions such as:
- Secure credential injection
- Account discovery
- Automated password rotation
- Alerts and notifications
- Checkout request approval process
Click here to read Gabriel’s article.
The Final Word
There is no way to eliminate cyberattacks. But there are practical, proven, and cost-effective ways for companies to reduce the size of their exposed attack surface, and shift the paradigm from reactive to proactive. Comprehensive training, 2FA, and password manager + PSM/PAM should be core pillars of a robust and reliable cybersecurity profile.
Companies that get ahead of the curve will spend less time investigating and remediating attacks, and more time doing what really matters: achieving business objectives, serving customers, maintaining standards, and of course, browsing Reddit (we recommend r/MadeMeSmile to brighten your day!).