Reddit discloses hack, reveals hackers stole email addresses and old passwords
Reddit, the social discussion, and forum-hosting website, in a blog post on Wednesday, said that a security breach earlier this summer has compromised personal information of some users, including email addresses and private messages. However, the company did not disclose how many of its users have been affected.
According to Reddit, the hackers managed to break into its computer systems and obtained access to some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. This old 2007 database backup included very early Reddit user data that are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from the time of site’s launch in 2005 through May 2007.
The cyberattack took place between June 14 and June 18, when hackers “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” the company said, and its website administrators became aware of the hack on June 19.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code, and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the company added.
Reddit uses the common SMS-based two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure. However, Reddit said hackers had intercepted SMS 2FA verification.
“We learned that SMS-based authentication is not nearly as secure as we would hope,” Reddit said in its warning post.
“We’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”
Reddit is messaging user accounts and has suggested people to check Reddit inboxes as well as emails to see if they were affected.
The company said in its post: “If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password.
“Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want to be associated back to that address.”
For more information on how to remove information from your account, you can visit this help page.
Reddit has recommended users to use a strong unique password and enabling 2FA (which is provided by the company via an authenticator app, not SMS). It has also asked its users to be alert for potential phishing or scams.