author photo
By Bruce Sussman
Thu | Aug 2, 2018 | 7:41 AM PDT

When it comes to breach announcements, our SecureWorld team still hasn't seen it all, but we're getting closer to that point.

If you're looking for a new gig in information security, we have some good news: Reddit is hiring.

However, bad news: The company told the world about the openings at the end of its breach announcement. Take one of the Reddit cybersecurity jobs and you're going straight into the fire!

Of course, it is entirely possible you're looking for this kind of challenge.

Reddit announces cybersecurity hire and job openings after breach

We have to give Reddit credit here for a sense of humor:

"In other news, we hired our very first Head of Security, and he started 2.5 months ago. I’m not going to out him in this thread for obvious reason, and he has been put through his paces in his first few months. So far he hasn’t quit."

He hasn't quit, but we're pretty sure his heart rate is up.

We saw a presentation at SecureWorld Seattle where the CISO proved incident response stress tracked by her FitBit.


Reddit continued on the job front:

"On a related note, if you’d like to help out here and have a security background, we actually have a couple of open security roles right now."

Yes, just like nearly every company on the planet, Reddit has openings in IT security. Is cloud security or threat detection of interest to you?

Readers respond to Reddit's cybersecurity job openings

Readers wasted no time responding to the jobs announcement and quickly offered to help. But we're not sure this is what Reddit was actually hoping for.

Dr. Smoothrod_PhD said:

"I am willing to offer my security services. I can conduct occular patdowns, once scored a point in an actual karate tournament against an actual black belt, have watched all four Lethal Weapon movies and Predator (the original with all the hardbody beefcakes, not those newer ones cast with wimpy jabronis), and I'm so hard that people are scared of me... and they should be, 'cause I'll explode all over them."

nathanb065 posted:

"I, like many others on this site work in IT. Security background includes not terminating cables properly, keeping servers off as much as possible, AND in the event of a cyber attack, 'break glass and pull cables' is basically muscle memory by now."

The thread kind of devolved from there, with Reddit users showing their typical candor. Topics included everything from how far behind Reddit must be on cybersecurity to the notification failing to meet the 72-hour GDPR requirements, to what the site is not doing to stop the Russian disinformation campaign.

Reddit believes 2FA weakness led to breach

And, oh yes, Reddit did announce the actual breach. Here are some basic facts about the Reddit breach according to the company's post:

  • Reddit hacking dates: "On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers."
  • Two-factor authentication to blame? "...we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."
  • What was accessed? The OLD: A complete copy of an old database backup containing very early Reddit user data—from the site’s launch in 2005 through May 2007. This includes user names, hashed passwords, email addresses, and content including private messages.
  • What was accessed? The NEW: "Logs containing the email digests we sent between June 3 and June 17, 2018. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to." In other words, this could reveal your Reddit anonymity.

Here is the full Reddit breach announcement. But be warned that if you start reading the threads from Reddit users, you won't get much done today. Because they are extremely creative, like Wobbles42's:

"The worst part of this is that the hacker accessed all that information without being informed of how much better the experience would have been in the Reddit app."