39 comments

[ 2.9 ms ] story [ 47.5 ms ] thread
> They gained access to some internal documents, code, and some internal business systems.

nothing important

Fortunately the hacker was fruitless in their effort to delete the mobile site and add a permanent redirect and HPKP pinning to old.reddit.com
This is how most initial disclosures go, then a few weeks on the third-party security firm investigating notifies them they got completely pwned.
> Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.

Reassuring if true.

>After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems.

Together with the contact info that could be basis for the next attack.

Added to the list of things that they have bungled.
Reddit stopped publishing their source code a long time ago, so I hope the hackers publish whatever they took.
Along with murdering there warrant canary, and repeated attempts to force people to there new crap web design or privacy invasive app.
No, Reddit. Phising is not a sophisticated attack.

Working in the cyber industry, it's so frustrating to see companies claim that they were done over by "sophisticated attacks" like phising!

I understand it from the PR points angle, but I always cringe. I hope others see through it too.

I guess we'll wait to see what they actually stole when they post the ransom.

Right? This is completely eliminated by using U2F tokens.

If you aren't using hardware auth to authenticate to corporate internal resources, your IT department is negligent or incompetent or both.

I literally have advanced protection turned on for a small four person single location retail operation I am involved with, simply for the PII of a few hundred people that they have to handle. The little USB/NFC fobs are $15.

There is no excuse other than incompetence.

Using MFA is absolutely a must.

But not using hardware based 2FA doesn't make the IT department, completely negligent or incompetent.

Most companies I know if they are using MFA are using Microsoft Authenticator soft tokens through their enterprise 365 environments.

MFA is extremely vulnerable to fishing, ie. man-in-the-middle. It is pretty useless, hardware token or not. U2F/webauthn mostly fixes that.
The Reddit hack in question phished the user-input MFA (presumably TOTP) string.
My point being is that by not having hardware based MFA, but still have a form of soft token MFA doesn't make the IT personnel completely incompetent or negligent.

Not requiring MFA at all and having weak passwords would be an example of that.

Then why are they still getting owned via common/routine phishing attacks? Ones that are entirely, cheaply, and easily preventable?
Because they don't pay a competent person to do their security or because the person they paid isn't able/willing to make decisions.

Phishing is not obviously sophisticated but an argument could be made. The problem with letting that kind of language slide is that it skirts responsibility. Society has a huge accountability problem currently and there isn't really an end in sight. There's no need to continue allowing corporations to use such language and continuing the problem.

If a solution to phishing is available and not used, the easy mode hack is attributed to the security of the people so responsible. They took a risk and that went bad. Fire them(the people ACTUALLY RESPONSIBLE) and move forward with a better model of security.

The person actually responsible is the person(s) who made the final call on using security susceptible to phishing attacks where a better option exists.

Most attacks are Phishing whether it's from hackers in basements or hackers in secret government bunkers.

At the moment, it's the easiest way into a network. So everyone is doing it.

Yes, it is sophisticated. Phishing emails are opened more often then regular mail (assuming it’s in your inbox) and click-rate is pretty high.

You might be good at cracking phishing simulation at your workplace, but many people won’t know if “amazon.example.com” or “example.amazon.com” is real. This is of course something good filter will pick up, but consider how hard it is to make sure 0 employees fall to the attack.

Also, even 2FA can get compromised with notification spam, that’s how it played out in one of the attacks couple of years ago.

No, it's not sophisticated. They're using "sophisticated" inappropriately here for pure PR.

Just because phishing is common, doesn't make it sophisticated.

>Yes, it is sophisticated. Phishing emails are opened more often then regular mail and click-rate is pretty high.

You're confusing "sophisticated" with "efficient". Phishing is efficient but unsophisticated; it boils down to one of the oldest tricks ever, to make you believe that $foo is $bar.

(comment deleted)
Phishing _can_ be more or less "sophisticated" (obviously some of this is a semantic argument) attack, it depends on the details.

For example, if you select a target and collect information in order to tailor the attack, or you use inside information to prey on a flaw (such as security fatigue), that's at least more sophisticated than a typical phishing email.

Not that I disagree with your take about the PR angle.

They somehow replicated the intranet site so I'd call that somewhat sophisticated. That kind of feels like they had insider knowledge.

> As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.

>No, Reddit. Phising is not a sophisticated attack.

You're right, it isn't. It's just Reddit admins lying through their teeth, it's their usual. Almost like they take most of the current Reddit userbase as braindead. (Spoilers: they might be right.)

In this specific case they're lying to not make it so obvious that they're pretty much incompetent to manage their site.

I'd argue that cloning their intranet site takes this up a notch from regular phishing
Nobody gets phished with a plain text email/site that says “give me your system access”.

Creating a replication of their intranet gateway requires recon to know what gateway they use, (if they use a custom api) recreate that api, and finding who to actually send the fake page to.

I’d call this spear fishing. That’s sophistication. Recon and tailoring to the target is sophisticated. It may not be super complicated, but it shows sophistication.

Sophistication is a spectrum between ”hey mister, and I have your credentials?” and nationstate APT’s.

It is almost as annoying as when hack / breach turns out to be someone scrapped every profile on the site.
From TFA:

> in an attempt to steal credentials and second-factor tokens. > > After successfully obtaining a single employee’s credentials

So was the attempt to steal second-factor successful or was it the account of an employee without 2FA that was compromised?

Because then...

On the page as to how to set up 2FA linked from TFA:

https://reddithelp.com/hc/en-us/articles/360043470031-What-i...

> "After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit."

There's 2FA and 2FA. TOTP like Google Authenticator giving these six digits are easy to phish.

I much prefer FIDO(2) devices and the webauthn protocol (Chrome doesn't even allow U2F anymore but webauthn is backward compatible with old security keys), especially when the device uses a different method for registering a service the first time and for then authenticating to that service (for example by using a different PIN for registering and for authenticating or by displaying on the device itself if you're registering or authenticating).

Crazy with all the security implemented, all it takes is just a phishing email.
More places really really need to use [essentially] unphishable 2fa (security keys) and make that the sole method of 2fa except maybe in a break-glass case. but even them, you can have multiple security keys including backup ones
I find it funny that while I'm a regular visitor to Reddit, I only find out about the attack on HN.
Same, except I found out on Mastodon and posted it to HN.
Wow, old reddit is so ugly and outdated
It's compact and nag-free.
Also doesn’t crash my browser (mobile) -and no don’t want to use any apps.
I got a message this morning that I was accepted into a sub that I never heard about, as if I had applied (but I didn't). It seemed to be a notification, not a message. I don't see it now. I'm guessing it's related to the hack, but it's not obvious what the scam or purpose was.