On Sunday night, the popular social platform Reddit was the victim of a cyberattack that granted hackers access to its internal business systems and provided them the chance to obtain sensitive data and source code. The company claims that the hackers used its intranet site as a ruse to lure Reddit employees into a phishing trap. This website attempted to steal the login credentials for employees and the two-factor authentication tokens.
After one employee was a victim of the phishing scam, the threat actor was able to access internal Reddit systems and steal data and source code. According to Reddit’s security incident report, “after successfully gaining a single employee’s credentials, the attacker obtained access to several internal documents, code, as well as some internal dashboards and business systems.”
Hackers Take Internal Documents And Source Code.
We have no evidence that our primary production systems, which power Reddit and house the majority of our data, have been compromised. According to Reddit, the company’s security team was notified of the breach after the employee self-reported the occurrence.
After investigating the situation, Reddit claims the incident recorded stolen data, some internal docs, and source code. Also, internal dashboards and business systems, both present and previous. The data also included information about the company’s advertisers, but credit card details, passwords, or ad performance were not accessible.
Additionally, Reddit says there are no signs that threat actors breached the website’s production systems. Reddit mentioned a similar method that was used to compromise Riot Games, even though they haven’t provided any information about the phishing assault.
Threat actors broke into Riot Games during that attack and grabbed the source code for the Teamfight Tactics (TFT) auto-battle game, a heritage anti-cheat platform, and the League of Legends (LoL) multiplayer online combat arena.
Later, a $10 million ransom demand for the data not to be revealed was made to the game company, which was rejected. Later, the hacker tried selling League of Legends’ source code for $10 million on a hacker forum.
Defending Yourself Against Phishing Scams
More and more sophisticated phishing schemes are being created, so it’s essential to be informed about how to avoid falling victim to these online assaults. Listed here are seven easy ways to spot and avoid phishing schemes.
1. Recognize the signs of being phished.
Even while new phishing attack strategies are constantly being created, there are some consistent tells that might help you spot them. You can find a lot of information on the current phishing scams and how to spot them on the internet. Your organization has a better chance of thwarting an attack if you regularly train your users on the newest security best practices and inform them of emerging threats.
2. Don’t go to that website
Even if you know the source of an email or instant message, it’s best to exercise caution before clicking on a link in the message. Doing little more than hovering over the link to verify its target is a good start. Some phishing attacks are pretty complex, with a destination URL that looks identical to the real one but is actually set up to steal login credentials or financial data. In some cases, you may find it more efficient to use your preferred search engine to reach the destination page directly.
3. Get free anti-phishing plugins
These days, most browsers let you install add-ons that can identify fraudulent websites and warn you when you visit a known phishing site. Since they are frequently costless, there’s no excuse for not having them on your company’s computers.
4. Never provide personal information on an unprotected website.
Do not enter personal information or download files from a website if the address bar does not begin with “https” or if the padlock icon does not appear to be closed next to the address bar. Even though sites lacking security certifications might not be malicious, it’s best to remain cautious just in case.
5. Regularly changing your passwords is step number five.
Changing your passwords on your online accounts on a regular basis will help keep an attacker from having unrestricted access to your data. If you suspect that your accounts have been compromised, changing your passwords regularly is a simple yet effective way to thwart further intrusion attempts and keep out would-be hackers.
6. Keep an eye out for new information
It’s easy to grow annoyed by the constant stream of update notifications and start ignoring them. Avoid doing that. The primary goal of releasing security patches and updates is to close security loopholes that hackers have exploited in the modern day. It’s important to keep your browser up-to-date to protect yourself from phishing attacks and other threats that could have been prevented with a bit of maintenance.
7. Resist the urge to click on those intrusive ads
As part of a phishing effort, pop-ups aren’t only annoying; they can also spread malware. Ad-blocking software is available for free download and installation on most modern browsers and can effectively eliminate potentially dangerous pop-ups. Even if an ad gets past your ad blocker, you shouldn’t be persuaded to click on it. The “Close” button may be hidden in some pop-ups; if you can’t find it, try the “x” in one of the corners.
The social news website Reddit was hacked on Sunday night, allowing criminals access to its internal business infrastructure. and gave them the ability to steal confidential information and source code. The company asserts that the hackers tricked Reddit employees into falling into a phishing trap via its intranet portal. The two-factor authentication tokens and employee login information were both attempted to be stolen by this website. The threat actor was able to get access to internal Reddit systems and collect data and source code, where one employee fell for the phishing scam.