Popular
social
media
site
Reddit
–
“orange
Usenet
with
ads”,
as
we’ve
somewhat
ungraciously
heard
it
described
–
is
the
latest
well-known
web
property
to
suffer
a
data
breach
in
which
its
own
source
code
was
stolen.
In
recent
weeks,
LastPass
and
GitHub
have
confessed
to
similar
experiences,
with
cyercriminals
apparently
breaking
and
entering
in
much
the
same
way:
by
figuring
out
a
live
access
code
or
password
for
an
individual
staff
member,
and
sneaking
in
under
cover
of
that
individual’s
corporate
identity.
In
Reddit’s
own
words:
systems
were
hacked
as
a
result
of
a
sophisticated
and
highly-targeted
phishing
attack.
They
gained
access
to
some
internal
documents,
code,
and
some
internal
business
systems.
We’re
not
sure
quite
how
suitable
the
adjective
“sophisticated”
is
here,
not
least
because
Reddit
quickly
goes
on
to
state
that:
As
in
most
phishing
campaigns,
the
attacker
sent
out
plausible-sounding
prompts
pointing
employees
to
a
website
that
cloned
the
behavior
of
our
intranet
gateway,
in
an
attempt
to
steal
credentials
and
second-factor
tokens.After
successfully
obtaining
a
single
employee’s
credentials,
the
attacker
gained
access
to
some
internal
docs,
code,
as
well
as
some
internal
dashboards
and
business
systems.
We
show
no
indications
of
breach
of
our
primary
production
systems
(the
parts
of
our
stack
that
run
and
store
the
majority
of
our
data).
In
other
words,
this
attack
almost
certainly
succeeded
not
because
it
was
sophisticated,
but
because
it
wasn’t.
Someone,
perhaps
in
a
hurry,
arrived
at
what
they
thought
was
the
frontier,
handed
over
their
passport
to
a
fellow-traveller
instead
of
to
an
official
border
agent,
and
then
found
themselves
trapped
in
nowhere-land
without
any
ID
while
the
imposter
sailed
through
the
border
crossing
in
their
name.
The
single
most
important
factor
in
an
identity-hijacking
attack
of
this
sort
is
not
sophistication
but,
as
Reddit
rightly
pointed
out
above,
plausibility,
making
it
easy
even
for
well-informed
and
cautious
individuals
to
“coast
through”
based
on
habit
and
experience.
The
risk
posed
by
habitual
behaviour
is
why
official
British
road
signage
includes
a
bright
red
rectangle
containing
the
words
NEW
ROAD
LAYOUT
AHEAD
that’s
used
when
a
busy
piece
of
road
gets
reorganised.
The
sign
isn’t
there
to
protect
old-timers
from
nervous
new
road
users
who
might
find
a
big
junction
or
roundabout
complicated.
It’s
there
to
protect
those
new
users,
who
have
no
choice
but
to
work
cautiously
from
first
principles,
and
are
therefore
likely
follow
the
road
rules
just
fine,
from
old-timers
who
think
they
“know”
how
traffic
will
behave
at
that
location,
and
therefore
sail
through
carelessly,
based
on
incorrect
assumptions
and
“learned-but-now-improper”
behaviour.
How
far
did
the
crooks
get?
As
already
stated,
some
of
Reddit’s
own
internal
systems
were
accessed
by
the
attackers.
In
addition
to
the
mostly-harmless-sounding
“docs”
and
“code”
listed
above,
Reddit
has
admitted
that
information
about
past
and
present
employees
and
“contacts”
(we’re
assuming
this
includes,
but
is
not
limited
to,
contractors
and
other
non-permanent
staffers)
was
stolen,
along
with
information
about
advertising
customers.
Reddit
hasn’t
stated
publicly
what
sort
of
data
fields
were
included
in
the
stolen
information,
merely
that
the
breach
was
“limited”.
But
the
word
limited
might
be
a
good
sign
(e.g.
name
and
email
address,
and
no
other
data),
but
could
just
as
easily
be
a
bad
thing
(e.g.
“only”
two
data
items:
your
social
security
number
and
a
scan
of
your
driving
licence).
Signed-up
users
of
the
Reddit
service,
it
seems
–
Redditors,
as
they
as
known
–
can
stand
down
from
Blue
Alert,
with
Reddit
saying
that
its
investigation
so
far
shows
no
indication
that
what
it
calls
“non-public
data”
(in
other
words,
stuff
that
you
didn’t
post
for
the
world
to
see
anyway)
was
accessed
by
the
cybercriminals.
And,
as
mentioned
earlier,
the
Reddit
systems
themselves
–
the
operating
systems,
code
and
networks
that
run
the
Reddit
services
you
interact
with,
whether
as
a
user
or
a
visitor
–
don’t
seem
to
have
been
breached.
From
this,
we
infer
that
the
crooks
are
unlikely
to
have
made
off
with
data
such
as
login
records,
system
logs,
location
information
or
password
hashes.
The
company
also
stated,
in
its
notification,
that
it
is
still
investigating
this
incident
(which
happened
on
Sunday
2023-02-05).
Given
its
reasonably
quick
response
so
far,
we’re
guessing
that
Reddit
will
follow
up
in
due
course
to
say
whether
it
found
any
further
evidence
of
compromise.
What
to
do?
To
be
honest,
unless
you’re
a
Reddit
staffer
or
advertiser,
it
doesn’t
look
as
though
there’s
much
you
can
or
need
to
do
right
now.
(We’re
assuming,
if
you
do
work
for
or
advertise
with
Reddit,
that
the
company
will
already
have
contacted
you
personally
if
your
data
was
amongst
the
“limited”
information
stolen,
which
we
would
consider
a
better
short-term
response
than
telling
the
whole
world
first.)
Reddit
itself
has
made
three
suggestions,
namely:
-
Protect
against
phishing
by
using
a
password
manager.
This
makes
it
harder
to
put
the
right
password
into
the
wrong
site,
because
the
password
manager
isn’t
deceived
by
the
look-and-feel
of
a
site,
but
works
unemotionally
with
the
exact
name
of
the
web
page
it
sees
in
the
address
bar.
Ironically,
this
seems
to
be
advice
that
Reddit
itself
didn’t
follow,
given
that
the
attackers
used
a
plausible
look-alike
site
to
steal
login
credentials,
which
a
password
manager
would
presumably
have
rejected
as
unknown. -
Turn
on
2FA
if
you
can.
This
means
you
need
a
one-time
code
that
changes
at
every
login,
which
makes
a
stolen
password
useless
on
its
own.
We
agree
that
this
is
a
great
idea,
but
note
that
Reddit’s
own
mechanism
for
2FA
(two-factor
authentication),
based
on
a
regularly-changing
six-digit
code
generated
by
an
app
on
your
phone,
apparently
didn’t
help
here,
because
the
attackers
phished
both
a
current
password
and
a
valid-right-now
2FA
code. -
Change
your
passwords
every
two
months.
We
disagree
with
this
advice,
as
does
the
US
National
Institute
of
Standards
and
Technology
(NIST).
Change
for
change’s
sake
is
rarely
a
good
idea,
because
it
tends
to
enforce
habitual
behaviour
that,
in
the
words
of
Naked
Security
friend
and
colleague
Chester
Wisniewski,
“gets
everybody
in
the
habit
of
a
bad
habit“.
BUSTING
PASSWORD
MYTHS
Even
though
we
recorded
this
podcast
more
than
a
decade
ago,
the
advice
it
contains
is
still
relevant
and
thoughtful
today.
We
haven’t
hit
the
passwordless
future
yet,
so
password-related
cybersecurity
advice
will
be
valuable
for
a
good
while
yet.
Listen
here,
or
click
through
for
a
full
transcript.
In
short:
we
continue
to
recommend
password
managers,
especially
if
you
tend
to
drift
into
the
habit
of
picking
obvious,
identical
or
even
similar
passwords
for
multiple
sites
without
one.
We
also
recommend
password
managers
as
a
helpful
tool
for
pulling
you
up
short
on
imposter
sites
that
look
visually
perfect
to
you,
but
that
don’t
match
the
plain
and
emotionless
expectations
of
your
password
manager.
And
we
advise
you
to
turn
on
2FA
wherever
you
can,
even
though
we
know
it’s
a
bit
of
a
hassle.
We
nevertheless
remind
you
that
2FA
codes
(such
as
those
one-time
6-digit
SMS
or
app-based
messages)
can
still
be
phished,
as
happened
here
to
Reddit,
so
they
are
not
a
cure-all
for
caution.
But
we
don’t
agree
with
forcing
yourself
regularly
to
change
all
your
passwords
on
an
algorithmic
basis.
Much
better
to
change
your
passwords
right
away
whenever
you
genuinely
think
it’s
worth
doing
so,
than
to
rely
on
“I’ll
be
changing
it
sometime
soon
anyway,
so
I’ll
just
wait
until
the
process
tells
me
to
do
it.”
(We’re
not
saying
you
mustn’t
change
your
passwords
all
the
time
if
that
makes
you
happy,
but
doing
it
as
what
you
might
call
a
“procedural
requirement”
will
give
you
a
false
sense
of
security,
and
uses
up
time
you
could
spend
on
other
tasks
that
directly
improve
your
online
safety.)
As
we’ve
said
before,
we
may
be
heading
towards
a
passwordless
future,
but
we
suspect
we’ll
all
be
juggling
passwords
for
at
least
some
important
online
service
for
many
years
yet.