- Nazi troll pretending to be antifa in Portland gets outed by internet 1 Year Ago
- ‘Dear White People’ season 3 reflects the exhaustion of the times—for better or for worse 1 Year Ago
- ‘Seinfeld’ and ‘Friends’ fans feud over which sitcom is better 1 Year Ago
- Anti-abortion centers are getting around Google’s misinformation policy Today 3:45 PM
- Twitter, Facebook remove Chinese accounts spreading Hong Kong misinformation Today 3:41 PM
- ‘Mindhunter’ season 2 offers no happy endings Today 3:19 PM
- How to watch ‘The Righteous Gemstones’ online Today 3:03 PM
- ‘Mindhunter’ season 2 brings out the memes Today 2:59 PM
- Rumor suggests the X-Men might battle the Avengers on-screen Today 2:54 PM
- The CDC is investigating cases of severe lung damage linked to vaping Today 2:08 PM
- How to stream the 49ers vs. Broncos on (preseason) Monday Night Football Today 1:24 PM
- Trump thinks Google made 16 million people vote for Clinton Today 12:54 PM
- Danny McBride’s ‘The Righteous Gemstones’ is a wicked televangelist comedy Today 12:46 PM
- Facebook-branded coffee shops are coming Today 12:36 PM
- Twitter hosts China-backed ads maligning Hong Kong protesters Today 12:27 PM
“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” Reddit posted in the announcements section of the site. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”
How did it happen?
The Reddit data breach was discovered on June 19 and appears to have taken place in the days prior—sometime between June 14 and June 18. The hacker targeted employee accounts with the site’s cloud and source code hosting providers. While Reddit has two-factor authentication in place for its employees, it used SMS-based authentication, which is less secure than other methods. (After several notable phishing attacks, Google moved from SMS and app-based authentication to physical security keys in 2017, and has not seen a successful attack since.) The SMS codes were intercepted, and the hacker was able to access some Reddit data.
What data was accessed?
Fortunately, the hackers were unable to access critical systems. According to Reddit’s analysis of the breach thus far, the hacker only accessed backup data, source code, and other logs. However, this includes all Reddit data from 2007 and earlier. Reddit says “the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages).”
Logs containing the email digests Reddit delivered between June 3 and June 17 of this year were also accessed. That includes the content of the emails themselves, user email addresses, and the account associated with that email address.
Some other Reddit information was breached with read-only access (things such as Reddit source code, internal logs, and configuration files), but the above two areas are the main ones that affect redditors.
What do redditors need to do?
Reddit is sending messages to longtime users who’ve been affected by the breach and resetting their passwords. If you use the same password you used on Reddit in 2007 on other sites, you should reset those passwords as well (and if you use any of these passwords, you should change it for good measure). The good news: If you joined the site after 2007, you’re in the clear.
Regarding email digest access, you’re in the clear if you don’t have an email address attached to your account or if you did not have the “email digests” user preference selected during this time. If you did receive email digests during this period, check your inbox for emails from [email protected] between June 3 and June 17.
What is Reddit doing?
Since the Reddit data breach, the company has been working with law enforcement on an official investigation and contacting users who may have been affected by the breach. Reddit also says it is has taken measures to ensure, going forward, that access to Reddit’s systems are more secure with features such as additional encryption, enhanced logging, and token-based two-factor authentication.
And while unrelated to the data incident, Reddit is also hiring for a couple of security-related positions that should help continue to shore up its site against future threats.
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.