Reddit has confirmed that hackers stole source code and internal data. The breach gave access to Reddit’s internal business systems; a situation that enabled them [hackers] to steal internal documents and the company’s source code.
Reddit said the hackers used a phishing lure, which targeted its employees with a landing page that impersonated its intranet site. This site, according to Reddit, attempted to steal employees’ credentials and 2FA tokens.
After one Reddit’s employee fell prey to the phishing attach, the threat actor was able to breach internal Reddit systems to steal data and source code.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems,” Reddit explained in an official post.
“We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
The event was recounted to Reddit by an employee after he self-reported the incident to the security team of the company. Following its internal investigation, Reddit said the stolen data includes limited contact information for company contacts and current and former employees.
The data also included some details about Reddit’s advertisers, excluding credit card details, passwords, and ad performances.
The company, however, added that there are no indications that the hackers were able to breach production systems used to run its website.
In closely related story; though different from Reddit, Uber confirmed reports of a cybersecurity incident that impacted its cloud-based servers last September. Uber discovered that its computer network had been breached. The company had since put in place some security measures, including taking several of its internal communications and engineering systems offline.
The hack appeared to have impacted Uber’s internal systems. Images of email, cloud storage, and code repositories were sent to cybersecurity researchers and NYT by a person claiming responsibility for the breach.
The hacker also reportedly told the New York Times how he had sent a text message to an Uber staff claiming to be a corporate information technology person. The staff was then persuaded to release a password which allowed the hacker to gain access to Uber’s systems.
In 2016, hackers stole information from 57 million driver and rider accounts, and later approached Uber and demanded $100,000 to delete copy of the data. Uber, according to reports, bowed to the demand of the hackers, but did not disclose the breach for more than a year.