- Matt Gaetz hires speechwriter fired by White House for attending white nationalist event 9 Months Ago
- Here’s why Elon Musk is a sheep on Twitter Today 12:14 PM
- Trump is already running Facebook ads on the Mueller report Today 12:07 PM
- 20 thoughtful gifts grads actually want Today 12:00 PM
- 7 of the best psychological thriller movies on Shudder Today 11:44 AM
- Seth Abramson’s epic Mueller thread finally comes to a conclusion Today 11:40 AM
- Netflix is testing out a random play feature Today 11:28 AM
- Teen star Danielle Cohn faked pregnancy for YouTube prank Today 10:55 AM
- How to watch ‘A Discovery of Witches’ for free Today 10:42 AM
- Rev up your own family rivalries with these ‘Game of Thrones’ board games Today 10:29 AM
- Mueller’s ‘harm to ongoing matter’ is the best way to stay silent about your life Today 10:21 AM
- 10 Korean skincare brands that are worth your money Today 10:00 AM
- 20 unique Mother’s Day gifts for the cool moms Today 9:45 AM
- Ancestry.com ad tries to sell slavery as romance—not rape Today 9:44 AM
- The 9 best Satanic movies on Shudder Today 9:22 AM
Reddit was hacked, but the impact seems to be relatively minimal.
“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” Reddit posted in the announcements section of the site. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”
How did it happen?
The Reddit data breach was discovered on June 19 and appears to have taken place in the days prior—sometime between June 14 and June 18. The hacker targeted employee accounts with the site’s cloud and source code hosting providers. While Reddit has two-factor authentication in place for its employees, it used SMS-based authentication, which is less secure than other methods. (After several notable phishing attacks, Google moved from SMS and app-based authentication to physical security keys in 2017, and has not seen a successful attack since.) The SMS codes were intercepted, and the hacker was able to access some Reddit data.
What data was accessed?
Fortunately, the hackers were unable to access critical systems. According to Reddit’s analysis of the breach thus far, the hacker only accessed backup data, source code, and other logs. However, this includes all Reddit data from 2007 and earlier. Reddit says “the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages).”
Logs containing the email digests Reddit delivered between June 3 and June 17 of this year were also accessed. That includes the content of the emails themselves, user email addresses, and the account associated with that email address.
Some other Reddit information was breached with read-only access (things such as Reddit source code, internal logs, and configuration files), but the above two areas are the main ones that affect redditors.
What do redditors need to do?
Reddit is sending messages to longtime users who’ve been affected by the breach and resetting their passwords. If you use the same password you used on Reddit in 2007 on other sites, you should reset those passwords as well (and if you use any of these passwords, you should change it for good measure). The good news: If you joined the site after 2007, you’re in the clear.
Regarding email digest access, you’re in the clear if you don’t have an email address attached to your account or if you did not have the “email digests” user preference selected during this time. If you did receive email digests during this period, check your inbox for emails from [email protected] between June 3 and June 17.
What is Reddit doing?
Since the Reddit data breach, the company has been working with law enforcement on an official investigation and contacting users who may have been affected by the breach. Reddit also says it is has taken measures to ensure, going forward, that access to Reddit’s systems are more secure with features such as additional encryption, enhanced logging, and token-based two-factor authentication.
And while unrelated to the data incident, Reddit is also hiring for a couple of security-related positions that should help continue to shore up its site against future threats.
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.