Reddit logo

Reddit breached, here’s what you need to know

On Thursday, February 9, 2023, Reddit reported that it had experienced a security incident as a result of an employee being phished.

What happened?

According to Reddit, it “became aware of a sophisticated phishing campaign” late on February 5, 2023, that attempted to steal credentials and two-factor authentication tokens.

One of its employees fell for the phish, and then self-reported, alerting Reddit to what had happened. It says its “security team responded quickly, removing the infiltrator’s access and commencing an internal investigation.”

The employee’s credentials were reportedly used to gain access to “some internal docs, code, as well as some internal dashboards and business systems”, which exposed “limited contact information” for company contacts and employees, and information about advertizers.

According to Reddit, your passwords are safe. As a result, there is no need to alter your login details. It also says there are no signs the breach affected “the parts of our stack that run Reddit and store the majority of our data” or “any of your non-public data.”

Reddit deserves praise for reporting what happened so clearly: Clear messaging, no evasion, and a clear indication of what users should take into consideration. Ironically, the one piece of advice that Reddit offers it users is to set up two-factor authentication (2FA) to protect their accounts.

The right kind of 2FA—2FA that relies on hardware keys or FIDO2 devices—could have prevented its own employee from being phished. Still, any form of 2FA is better than none, so we encourage you to set up 2FA on Reddit. Its app-based 2FA can’t protect you from phishing, but it will stop all kinds of assaults on your passwords.

How to set up 2FA on Reddit

You’ll need to make use of an app to generate the six-digit code required to log in alongside your password. From the FAQ:

  • Click on your username in the top right of your screen.
  • Select User Settings and click on the Privacy & Security tab. 
  • Under Advanced Security, you’ll see the Use two-factor authentication control. To enable it, click the toggle to on.
  • Next, enter your password and click Confirm. 
  • Follow the step-by-step instructions to set up your authentication and don’t forget to save your backup codes
  • After setup, you may be asked to log out and log back in to your account. Moving forward, you’ll need to enter a 6-digit code from your authenticator app every time you log in to Reddit.

With this in place, your account will be a lot more secure with or without a breach of some kind lurking in the background. Now it’s time to take a look at the breach notification. In their own words:

An incident notification done well

As anyone in security will tell you, breaches are a matter of “if, not when”, so it matters how companies respond when they are breached. Reddit has handled it well so far.

The very first paragraph of its notification is a “too long, didn’t read” for those in a real hurry. It reads as follows and is very clear about what went on, and what users need to do:

“Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.”

Although the main body of text of the notification is not particularly complicated, this shorter paragraph breaks things down to their bare bones, so absolutely anyone can understand what’s taken place. This doesn’t always happen in breach notification situations!

The Reddit staff also held an “Ask Me Anything” (AMA) in the comments underneath the notification. Yes, Reddit is ideally suited to a Q&A interaction given its posting format, but they could just as easily have turned off replies. Can you remember the last time a breach notification gave users of a service a way to directly interact with staff dealing with the incident?

Finally, the employee concerned is not being fired, instead its notification says it is “working with our employees to fortify our security skills.”

Kudos to Reddit for being so open and approachable where this breach is concerned.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.