Reddit suffers breach; user information accessed

Share

While the impact would be on a few users, this backup contained not only usernames and passwords, but also private messages.

"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication, we learned that SMS-based authentication is not almost as secure as we would hope", said Reddit. Users who signed up after 2007 were not affected by this part of the data breach.

Users will be receiving messages from Reddit officials if their information was accessed.

The second data store included logs and databases linked to Reddit's daily digest emails, which was accessed between 3 and 17 June this year. And for users whose email addresses were accessed through the email digest, Reddit said, "think about whether there's anything on your Reddit account that you wouldn't want associated back to that address". So that means if you created your account after this date, you should be in the clear.

The attacker wasn't able to make any changes to Reddit, but they gained access to private user files. For the compromised account credentials which may still be valid, Reddit is informing users and resetting passwords.

According to Reddit, it learned on 19 June that between 14 and 18 June attackers compromised a small number of employee accounts used to access "cloud and source code hosting providers". Primary access points for code and infrastructure are behind 2FA but SMS-based authentication was not secure enough.

More news: Trump rejects ‘overrated’ conservative Koch donor network
More news: Manafort's lawyers blame Gates in bank fraud trial
More news: Donald Trump says he had ‘very nasty’ relationship with special counsel

Robert Siciliano, security analyst at online security company Hotspot Shield, said the breach can have serious far-reaching consequences.

What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018.

The breach mostly affects Redditors that have been on the site since 2007 or earlier, but even if you made your account at a later date, you should still keep reading as there's a chance some info was still exposed. "Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today", Reddit said. It appears that SMS-based two-factor authentication played a key role.

"We learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept", Reddit founding engineer Christopher Slowe said.

'The details you added are more than many other companies do, and it told me exactly what data of mine was at risk!' wrote user Sam-Gunn.

Because of this, the Reddit team is recommending that everyone move to two-factor authentication (2FA) just in case the hackers attempt to use their login credentials. Speaking to The Atlantic, Reddit co-founder Steve Huffman said: "When people detach from their real-world identities, they can be more authentic, more true to themselves".

Share