Reddit this morning announced that it has suffered a data breach, with a hacker able to access email addresses from some current accounts and a 2007 database backup that included old salted and hashed passwords.
The data breach occurred between June 14 and June 18, with hackers accessing Reddit employee accounts through the company’s cloud and source code hosting providers rather than the site itself. Those systems used SMS-based two-factor authentication that failed, and the main attack happened through SMS intercept.
Reddit has a detailed list of what was accessed. A complete copy of an old database backup containing early Reddit user data was stolen, and Reddit says that the most significant data in the backup included account credentials (username and salted hashed passwords) email addresses, and public and private messages.
Email digests sent by Reddit in June 2018 were also obtained. This included usernames linked to an associated email address along with suggested posts from select subreddits.
Reddit is sending emails to users affected by the database hack, which does not impact people who signed up for reddit after 2007.
Customers who do not have an email address associated with their accounts or who did not check the “email digests” user preference are not affected by the email digest breach.
Reddit has informed law enforcement and is cooperating with an investigation and has taken measures to ensure privileged access to its systems are more secure.
Reddit says it will be resetting the passwords of affected users, but the site recommends all Redditors consider updating their passwords to something strong and unique, as well as enabling two-factor authentication. Reddit’s two-factor authentication is via authenticator app and is not vulnerable to SMS intercept.