Reddit Reveals Hackers Compromised User Data, How To See If You're Affected
Reddit has announced that it suffered a security breach between June 14 and June 18 of this year. The website learned of the hack on June 19 and says that an attacker was able to compromise the accounts of a few Reddit employees along with Reddit's cloud and source code hosting providers. The main attack was apparently via an SMS intercept, as Reddit was using two-factor authentication.
The site notes that the attacker didn’t gain write access to its systems and had read-only access to some systems that contained backup data, source code, and other logs. After the attack, additional steps were taken to lock down the compromised data, and reddit says that it rotated all production secrets and API keys. Reddit says that it has been working with its cloud and service providers to understand how this will affect users. What Reddit found was that a complete copy of an old database was made.
Inside that database was a backup of early reddit user data from the launch of the site in May 2005 through May 2007. The most significant data in that database are account credentials that include usernames and salted hashed passwords, email addresses, and all public content along with private messages.
Reddit says that it is sending out messages to affected users and resetting passwords on accounts if the credentials stolen are still valid. If you signed up for Reddit after 2007, your account wasn’t compromised. The site gives this bit of advice:
If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
Reddit also recommends that you use a strong password along with two-factor authentication through its authenticator app (you can find instructions on how to enable this here). Another compromised bit is email logs that were sent in June 2018. The logs specifically contained email digests sent between June 3 and June 17. The logs connect usernames with associated email addresses and contain suggested posts from the safe for work subreddits users subscribe to. Reddit has reported the issue to law enforcement and is cooperating with the investigation. Reddit notes it suspects "weaknesses inherent to SMS-based 2FA to be the root cause of this incident."
For more information on what was stolen, how to determine if you're affected, and for a thorough discussion on the matter, check out this Reddit thread.