Reddit Hack Shows Limits of MFA, Strengths of Security Training>
Threats Hub
On Jan. 9, Reddit notified its users that a threat actor had successfully convinced an employee to click on a link in an email sent out as part of a spearphishing attack, which led to “a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.”

The compromise of the employee’s credentials allowed the attacker to sift through Reddit’s systems for a few hours, accessing internal documents, dashboards, and code, Reddit stated in its advisory.

The company continues to investigate, but there’s no evidence yet that the attacker gained access to user data or production systems, Reddit CTO Chris Slowe (aka KeyserSosa) stated on a follow-up AMA.

techniques like MFA fatigue or “bombing” — as seen with last fall’s Uber attack — make getting around 2FA a simple numbers game. In that scenario, the attackers send out repeated targeted phishing attacks to employees until someone gets tired of the notifications and gives up their credentials and the one-time password token. Moving to the next level beyond 2FA is starting to happen. Providers of identity and access management technologies, for instance, are adding more information around access requests, such as the user’s location, to add context that can be used to help determine whether access should be authenticated, says Tonia Dudley, CISO at Cofense, a phishing protection firm.

Ironically, the Reddit hack also demonstrates the advantages that employee training can deliver. The employee suspected something was wrong after entering credentials into the phishing site, and soon after contacted Reddit’s IT department. That reduced the attacker’s window of opportunity and limited the damage.
Link: https://www.threatshub.org/blog/reddit-hack-shows-limits-of-mfa-strengths-of-security-training/