“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” Reddit posted in the announcements section of the site. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”
How did it happen?
The Reddit data breach was discovered on June 19 and appears to have taken place in the days prior—sometime between June 14 and June 18. The hacker targeted employee accounts with the site’s cloud and source code hosting providers. While Reddit has two-factor authentication in place for its employees, it used SMS-based authentication, which is less secure than other methods. (After several notable phishing attacks, Google moved from SMS and app-based authentication to physical security keys in 2017, and has not seen a successful attack since.) The SMS codes were intercepted, and the hacker was able to access some Reddit data.
What data was accessed?
Fortunately, the hackers were unable to access critical systems. According to Reddit’s analysis of the breach thus far, the hacker only accessed backup data, source code, and other logs. However, this includes all Reddit data from 2007 and earlier. Reddit says “the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages).”
Logs containing the email digests Reddit delivered between June 3 and June 17 of this year were also accessed. That includes the content of the emails themselves, user email addresses, and the account associated with that email address.
Some other Reddit information was breached with read-only access (things such as Reddit source code, internal logs, and configuration files), but the above two areas are the main ones that affect redditors.
What do redditors need to do?
Reddit is sending messages to longtime users who’ve been affected by the breach and resetting their passwords. If you use the same password you used on Reddit in 2007 on other sites, you should reset those passwords as well (and if you use any of these passwords, you should change it for good measure). The good news: If you joined the site after 2007, you’re in the clear.
Regarding email digest access, you’re in the clear if you don’t have an email address attached to your account or if you did not have the “email digests” user preference selected during this time. If you did receive email digests during this period, check your inbox for emails from [email protected] between June 3 and June 17.
What is Reddit doing?
Since the Reddit data breach, the company has been working with law enforcement on an official investigation and contacting users who may have been affected by the breach. Reddit also says it is has taken measures to ensure, going forward, that access to Reddit’s systems are more secure with features such as additional encryption, enhanced logging, and token-based two-factor authentication.
And while unrelated to the data incident, Reddit is also hiring for a couple of security-related positions that should help continue to shore up its site against future threats.