Popular internet forum website Reddit has confirmed it was the victim of a cyber attack, with hackers using a phishing attack on employees to steal login details and access the platform’s internal systems.
The company said the attack on February 5 had seen hackers gain access to “internal documents, code, as well as some internal dashboards and business systems”.
However, the online forum said that after several days of investigation, it had “no evidence” to suggest that Reddit user passwords or other information had been compromised or distributed online.
In a statement posted to Reddit, the company said a “sophisticated phishing campaign” had been used to target Reddit employees.
“As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behaviour of our intranet gateway, in an attempt to steal credentials and second-factor tokens,” Reddit said of the attack.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
Reddit confirmed the attack had seen “limited contact information” of current and former employees and “limited advertiser information” had been exposed in the attack.
The company said the affected employee in the attack self-reported the incident and the firm’s security team cut off the attacker’s access.
Reddit also used the incident to encourage users to boost their own personal security.
“Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account,” the company said.
“The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account.
“And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.”
