Reddit informed its users today that a hacker broke into some of its systems and accessed user data, including current email addresses and a 2007 database that contained usernames and passwords that were already salted and hashed (or scrambled for protection).
Reddit is sending an email to all affected users — mostly people who joined Reddit in 2007 or earlier. The hacker was also able to read the email digests Reddit sent out in June 2018 as well, so they could see users’ email addresses and relevant, safe-for-work subreddits they followed. Reddit is recommending users who may still be using passwords similar to the ones they had in 2007 to change their password on Reddit and other sites.
The company is also encouraging users to enable token-based two-factor authentication through a service like Authy or Google’s Authenticator, as the hacker gained access to Reddit’s systems through an SMS intercept attack. “We learned that SMS-based authentication is not nearly as secure as we would hope,” Reddit wrote in its post to users.
Intercepted SMS verification
Between June 14th and June 18th, the hacker compromised several Reddit employees’ accounts through the company’s cloud provider and source cost hosts. Reddit had required two-factor authentication on its accounts but the hacker intercepted the SMS verification and was able to gain access. The bad actor was able to see backup data, source code, and other employee logs in Reddit systems, but did not have access to changing any of it.
By June 19th, Reddit discovered the attack and began investigating the extent of the damage, while ramping up security measures. Reddit contacted law enforcement and is cooperating with their investigation.
The hacker was able to see private and public messages posted from 2005, when Reddit was created, to 2007. A user commenting on the security post also noted that there’s the possibility the hacker can piece together a Redditor’s actual username from looking at their email address, and to be safe, users should delete any incriminating posts accessible from their profile.