As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).
Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Source
So, a completely normal phishing campaign doxxed all of Reddit.