- Microsoft employees want to cancel a $479 million contract with the U.S. military 7 Months Ago
- Queso recipe gets launched to space Today 10:09 AM
- ‘Isabelle Facts’ was a wholesome queer meme account—until harassers showed up Today 8:28 AM
- 2016 election stories the ‘Newsroom’ reboot will cover Today 6:30 AM
- How to stream Brandon Rios vs. Humberto Soto for free Today 6:00 AM
- ‘The Haunting of Hill House’ heads to ‘Bly Manor’ for next installment Today 5:45 AM
- How to stream James DeGale vs. Chris Eubank Jr. for free Today 5:30 AM
- How to stream UFC Fight Night 145 in Prague for free Today 5:00 AM
- R. Kelly charged in Chicago with multiple counts of sex abuse Friday 7:51 PM
- Elon Musk finally hosts PewDiePie’s meme review Friday 6:27 PM
- Netflix throws ‘Umbrella Academy’-themed wedding for fans Friday 4:54 PM
- Report: Facebook collects app data on users’ body weight, menstrual cycles Friday 3:38 PM
- Amy Klobuchar reportedly ate salad with a comb, and Twitter’s got questions Friday 2:47 PM
- Nobody likes Spotify’s new update Friday 2:34 PM
- Student assaulted on campus while tabling for right-wing group Friday 1:56 PM
Reddit was hacked, but the impact seems to be relatively minimal.
“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords,” Reddit posted in the announcements section of the site. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”
How did it happen?
The Reddit data breach was discovered on June 19 and appears to have taken place in the days prior—sometime between June 14 and June 18. The hacker targeted employee accounts with the site’s cloud and source code hosting providers. While Reddit has two-factor authentication in place for its employees, it used SMS-based authentication, which is less secure than other methods. (After several notable phishing attacks, Google moved from SMS and app-based authentication to physical security keys in 2017, and has not seen a successful attack since.) The SMS codes were intercepted, and the hacker was able to access some Reddit data.
What data was accessed?
Fortunately, the hackers were unable to access critical systems. According to Reddit’s analysis of the breach thus far, the hacker only accessed backup data, source code, and other logs. However, this includes all Reddit data from 2007 and earlier. Reddit says “the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages).”
Logs containing the email digests Reddit delivered between June 3 and June 17 of this year were also accessed. That includes the content of the emails themselves, user email addresses, and the account associated with that email address.
Some other Reddit information was breached with read-only access (things such as Reddit source code, internal logs, and configuration files), but the above two areas are the main ones that affect redditors.
What do redditors need to do?
Reddit is sending messages to longtime users who’ve been affected by the breach and resetting their passwords. If you use the same password you used on Reddit in 2007 on other sites, you should reset those passwords as well (and if you use any of these passwords, you should change it for good measure). The good news: If you joined the site after 2007, you’re in the clear.
Regarding email digest access, you’re in the clear if you don’t have an email address attached to your account or if you did not have the “email digests” user preference selected during this time. If you did receive email digests during this period, check your inbox for emails from [email protected] between June 3 and June 17.
What is Reddit doing?
Since the Reddit data breach, the company has been working with law enforcement on an official investigation and contacting users who may have been affected by the breach. Reddit also says it is has taken measures to ensure, going forward, that access to Reddit’s systems are more secure with features such as additional encryption, enhanced logging, and token-based two-factor authentication.
And while unrelated to the data incident, Reddit is also hiring for a couple of security-related positions that should help continue to shore up its site against future threats.
Christina Bonnington is a tech reporter who specializes in consumer gadgets, apps, and the trends shaping the technology industry. Her work has also appeared in Gizmodo, Wired, Refinery29, Slate, Bicycling, and Outside Magazine. She is based in the San Francisco Bay Area and has a background in electrical engineering.