On February 5, Reddit's systems were compromised by a phishing attack in which hackers gained access to internal documents, systems, and code.

Reddit wrote in a lengthy post last night that it had recently become aware of "a sophisticated phishing campaign targeting Reddit employees." The attack attempted to trick employees into stealing their credentials and second-factor tokens by sending links to a fake website that "mimics the operation of our intranet gateway."

One employee self-reported that the attacker fell prey to a phishing attack to obtain login credentials. From there, according to Reddit, the bad guys gained access to "some internal documents, code, some internal dashboards and business systems."

According to Reddit's further investigation, additional revelations included "limited" contact and advertiser information for current and former employees. There was also no evidence that "key production systems" had been compromised.

According to the company's investigation, no Reddit user accounts or passwords were affected by the attack. Once security became aware of the situation, they revoked access to those accounts. The post also noted that similar phishing attacks have been reported recently by other Reddit employees.

Reddit later commented, "As we all know, humans are often the weakest link in the security chain. This is the most passive-aggressive message an IT person can send after someone has fallen for a phishing scam.

At the end of the post, various ways to keep Reddit accounts secure are advertised, including enabling two-factor authentication and using a password manager. Password managers are great for preventing phishing attacks because they can detect something fishy about the domain you are trying to log on to.

Personally, I am pleased to see that my favorite subreddit was not affected.