Hackers infiltrated Reddit and pillaged user data from 2007 and earlier

Reddit discloses ‘serious’ security breach it discovered on June 19th

This database included usernames, salted and hashed passwords, email addresses, and all content. If so, Reddit users could be potentially robbed of their anonymity if usernames are connected to emails. Reddit's chief technology officer, Christopher Slowe, today revealed that the site experienced a data breach between June 14 and June 18, 2018, in which some of its users' personal data was accessed.

Details about the hacker's identity is not addressed in the company's blog post.

If your account credentials were affected and there's a chance the credentials relate to the password you're now using on Reddit, we'll make you reset your Reddit account password. Users who signed up after 2007 were not affected by this part of the data breach.

How the hack actually happened has exposed the flaw in SMS-based two-factor authentication (2FA) - the process whereby a text is sent to your phone to confirm a login request.

"As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data", it said.

"We learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept", he shared. "Many online services mirror and cache old Reddit data, so there may be no way to take back past comments shared online", he said.

Regarding email digest access, you're in the clear if you don't have an email address attached to your account or if you did not have the "email digests" user preference selected during this time.

Most of the other data accessed is on the Reddit backend, so there isn't expected to be other compromised user data.

Many are asking why Reddit waited so long to disclose the data breach, given that GDPR stipulates a 72-hour window to report such breaches if they're considered.

Reddit reported the incident to law enforcement and is now aiding with the outside investigation.

Reported the issue to law enforcement and are cooperating with their investigation. You'll also find your password has been reset if your stolen credentials might still be valid.

Predictably, security specialists are pointing out this hack as another example of the failure of two-factor authentication.

He did not say how the employees' passwords were compromised, nor how the attacker was able to intercept the SMSes with the additional authentication factor. The bad news? It involved a two-factor authentication scam.

It's a common way to protect your account from people who have nicked your password.

For those thinking that deleting their Reddit account may assist them, Small said the cat is out of the bag. Fortunately, the hacker/hackers only gained access to backups from May 2007. It's not as hard as you might think.

Reddit said the hacker never got "write access" to its servers.

Related:

Comments


Other news