Reddit is a forum that boasts 50 million daily users and according to a post by their CTO, Christopher Slowe (a Harvard graduate), hackers breached their systems and stole source code and employee data.
...the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.
The employee whose account was compromised, swiftly self-reported the incident to the Reddit security team after realising their error. A move that should be applauded and not reprimanded in any modern organisation.
Reddit claimed on Twitter that they have requirements for employees to have 2FA on their systems. Evidently, this is not a phishing-resistant form for 2FA such as a hardware token like what is offered by Yubikey. If it was, the attack would be technically impossible.
The post then goes on to remind people that the best way to protect their accounts is by using 2FA:
The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account.
Reddit suffered a breach back in 2018 and published a lessons learned post on its website. Interestingly, in the 2018 incident, its 2FA over SMS was intercepted.
Regardless of the service or website you're using, setting up 2FA is fundamental. You can read about how to set up 2FA on your Reddit account here.
