Hot Topics
Analytics & Intelligence Application Security CISO Suite Cloud Security Cybersecurity Data Security DevOps Endpoint Featured Governance, Risk & Compliance Humor Identity & Access Incident Response Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Reddit Hacked — 2FA is no Phishing Phix

by Richi Jennings on February 10, 2023
Reddit got hacked with a “sophisticated” spear phishing attack. The individual victim was an employee who clicked the wrong email link.

Despite having 2FA, it was enough to give the scrote access to Reddit’s internal systems. It proves we need to ditch time-based one-time passwords (TOTP).

FIDO2/WebAuthn to the rescue? In today’s SB Blogwatch, we open a stopwatch app to time the arms race.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: The deaf muffin man.

Snoo Boo Boo

What’s the craic? Lawrence Abrams reports—“Hackers breach Reddit to steal source code and internal data”:

Two-factor authentication tokens
Reddit suffered a cyberattack Sunday evening, allowing hackers to access internal business systems and steal internal documents and source code. … The hackers used a phishing lure targeting Reddit employees with a landing page impersonating its intranet.

This site attempted to steal employees’ credentials and two-factor authentication tokens. After one employee fell victim to the phishing attack, the threat actor was able to breach internal Reddit systems to steal data and source code. … The employee self-reported the incident to the company’s security team.

With more, here’s Davey Winder—“Reddit Confirms It Was Hacked”:

Recommend changing your Reddit account password
Reddit, the social news and discussion site with 50 million daily users … said it first became aware of the successful breach of its systems late on February 5. … It refers to [the hack] as a “sophisticated phishing campaign that targeted Reddit employees.”

As with all such security incidents, information is currently sparse. … However, what we do know is … the attackers used a targeted phishing campaign to gain access. … Reddit has recommended that users [set] up two-factor authentication (2FA) on their accounts.

I would, however, also recommend changing your Reddit account password despite there being no evidence that these have been compromised. … As recent high-profile breaches have taught us, new evidence can come to light weeks or months after the initial attack.

Horse’s mouth? Reddit CTO u/KeyserSosa:

Takeout boxes and empty energy drinks
Here’s what we know: [Your] passwords and accounts are safe. … Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. … We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).

As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website … in an attempt to steal credentials and second-factor tokens. … It only takes one person to fall for it and then before you know it, two days have passed and your desk is covered in takeout boxes and empty energy drinks. … The human is often the weakest part of the security chain.

You are the weakest link. Goodbye. Potemkine! tweaks that final homily:

The human is always the weakest part of the security chain, until the Singularity occurs.

But it was ever true. Tommy can you hear me?

It’s amazing this stuff doesn’t happen more often. Even with 2FA, a cloned page is very effective.

Huge companies have so many employees, its not hard to get one of them to fall for it. Our company sends out phishing tests regularly and the high quality ones fool a ton of people. 2FA goes a long way but a targeted attack is very difficult to beat.

Sounds like a good idea? It happens at u/redneckrockuhtree’s workplace, too:

My employer periodically does fake phishing emails, to test us and help us remember to remain vigilant. Those who “fail” get a gentle reminder.

I had one of them almost catch me—and I tend to be pretty particular about security. It can happen to any of us.

But a “sophisticated” attack? Not according to uPiDmTXL:

No, Reddit. Phishing is not a sophisticated attack. … It’s so frustrating to see companies claim that they were done over by “sophisticated attacks” like phishing! I understand it from the PR points angle, but I always cringe. I hope others see through it too.

Am I bothered, though? argStyopa isn’t:

Good. I hope they release it publicly. I’ve personally never met a more sociopathic band of aggressive petty tyrants than the mods of Reddit and their enablers, the staff of Reddit.

Wait. Pause. The attacker succeeded, despite 2FA? I guess we all have to move to FIDO2. ta1243 eyerolls, furiously:

10 years ago: “Use a strong password with all these symbols.”
Average person reluctantly moves from 123456 to P@55word!
8 years ago: “No passwords as such, use a pass phrase.”
Average person reluctantly moves from P@55word! to correct-horse-battery-staple.
6 years ago: “OK, but you need to use different passwords on each site.”
Average person reluctantly moves to different passwords per site
4 years ago: “But you can be phished, you have to use 2FA.”
Average person reluctantly moves to SMS.
2 years ago: “No, in some countries it’s easy to take over SMS, use TOTP.”
Average person reluctantly moves to TOTP.
Today: “No, TOTP is rubbish, you can be phished, use this hardware authenticator.”

Normal people don’t like new shiny ways of working every year or so … but technologists think changing the way things work every couple of years is acceptable.

Meanwhile, u/aaaaaaaarrrrrgh finds the silver lining:

This is among the better breach notifications I’ve seen (and I’ve seen a few). … The “we have no evidence to suggest” statement is backed by at least some further explanation.

Companies that don’t take security seriously … sometimes say that they have no evidence, without stating that either:
[a] They didn’t bother looking (because if they did look they might find something, and then they couldn’t pretend it’s all fine), or …
[b] They basically have no logs and wouldn’t see it even if someone walked out of the door with all your data.

And Finally:

PLAY IT LOUD

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Brett Jordan (via Unsplash; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi

Secure Guardrails