Disclosing the incident in a thread posted to the official r/reddit community on Thursday, Reddit said that the “sophisticated phishing campaign” sent out “plausible-sounding prompts” to lure employees of the site to a phishing website that mimicked Reddit’s own intranet gateway, in an attempt to steal credentials and second-factor tokens. After successfully getting access to one employee’s credentials who fell victim to the phishing scam, the threat actors were then able to gain access to some internal docs, and code, as well as some internal dashboards and business systems. In spite of this, the company stressed that they found no evidence of the breach of its primary production systems (the parts of its stack that run Reddit and store the majority of the site’s data). Also, there is no evidence that the information stolen from Reddit has been published or distributed online. “Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information,” Reddit stated in its post. “Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.” According to Reddit, they became aware of the phishing attack on Sunday (February 7, 2023) after the affected employee self-reported the incident to the Security team soon after being phished. In response to the incident, Reddit’s Security team quickly changed the status of the account by removing the infiltrator’s access to Reddit systems. The site even started an internal investigation into the incident. “Similar phishing attacks have been recently reported. We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain,” it added. “Our goal is to fully understand and prevent future incidents of this nature, and we will use this post to provide any additional updates as we learn and can share more.” To safeguard against phishing attacks, Reddit encouraged Redditors to strengthen the security of their personal Reddit accounts by setting up 2FA (two-factor authentication) to add an extra layer of security. Besides this, the site also recommended its users update their passwords every few months by keeping strong and unique passwords for greater protection. Additionally, it is also advisable to always be careful when opening links or downloading attachments from untrusted sources. Also, check the authenticity of the website you are visiting.