Reddit fell victim to a hacker who gained access to some internal documents, code and systems at the social media company.
Reddit executive Christopher Slowe revealed the breach in a post saying the hacker waged a sophisticated phishing campaign targeting employees.
The hacker used a dummy website mimicking Reddit’s internal system in an effort to steal employees’ credentials and multifactor authentication information.
“After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems,” Mr. Slowe wrote on Thursday. “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).”
Reddit said it first learned of the hacking campaign on Feb. 5, and it has not yet seen evidence that non-public data was accessed or that any internal Reddit information was distributed or published online.
Mr. Slowe said the exposed data included limited contact information for hundreds of company contacts, including current and former employees, as well as limited advertising information.
Reddit also encouraged people to set up two-factor authentication for their own accounts and to use a password manager that generates complex codes.
“It’s always a good idea to update your password every couple of months — just make sure it’s strong and unique for greater protection,” Mr. Slowe wrote.
The employee whose credentials were compromised by the hackers self-reported the incident and faced no punishment, according to Reddit.
In response to a user’s question, Mr. Slowe said on Reddit that the victimized employee had two-factor authentication enabled, which he said was required for all employees to use Reddit and to access internal systems.