IOTW: Source code stolen in Reddit phishing attack

A “highly targeted” phishing attack against social media site Reddit’s internal network has seen malicious actors steal the company’s source code and internal documents.

The breach occurred on February 5, after a phishing attack was launched at Reddit employees. The site said the attack contained “plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens”. 

After obtaining an employee’s credentials, the malicious actors were then able to gain access to Reddit’s internal systems. This meant that the hacker accessed Reddit’s internal business systems, dashboard, documents and source code. 

After being alerted to the phishing attack by the employee whose account was accessed, Reddit said it “removed the infiltrator’s access” and launched an investigation into the breach. The site noted that “similar phishing attacks” have been reported recently.

The data accessed in the breach included “limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information”, but Reddit confirmed that “user passwords and accounts are safe”.

The site also reported that there was “no evidence” any of its primary production systems being accessed, or that any of its users’ “non-public data” had been accessed or posted online.

Reddit has launched an internal investigation into the breach, as well as enhancing its security systems. Additionally, it urged users to enable multi-factor authentication and use a password manager both to set up complex passwords and to prevent themselves from being phished.

GitHub source code stole in phishing attack

On September 16, 2022, GitHub reported a phishing attack that involved a malicious actor posing as code integration and delivery platform CircleCI in order to harvest login credentials and authentication codes from employees and gain access to various user accounts.

The phishing site used by the hacker relayed time-based-one-time-passwords (TOTP) two-factor-authentication codes to the hacker in real time, allowing them to gain access to accounts protected by TOTP two-factor authentication. Accounts protected by hardware security keys were not vulnerable to this attack.

Throughout the cyber attack, the malicious actor was able to gain access to and download multiple private code repositories and use techniques to preserve their access to the account even in the event that the compromised user or organization changed their password.

Mailchimp targeted in phishing attack

On January 11 of this year, marketing automation company Mailchimp reported that it was the victim of a social engineering attack-related data breach. 

According to Mailchimp, the breach involved an “unauthorized actor accessing one of [the] tools used by Mailchimp customer-facing teams for customer support and account administration”.  

Following this, the malicious actor launched social engineering attacks on Mailchimp employees and contractors used by the company. Through these attacks, the hacker was able to steal employee credentials and then used this login information to gain access to “select Mailchimp accounts”. 
Mailchimp reported that the attack was targeted and limited to 133 accounts.

In the wake of the attack, Mailchimp suspended access for those accounts compromised in the attack to protect users’ data, and notified the account owners of the suspicious activity. All those affected were notified by Mailchimp by January 12, and the company has been working with them to safely reinstate their accounts.