Video: Reddit plans Ethereum and Litecoin support with crypto relaunch
Reddit has disclosed a breach of its systems that compromised user data including some current email addresses and salted and hashed passwords from a 2007 database backup.
On Wednesday, the web content aggregation platform notified users that a hacker gained access to several employee accounts via SMS intercept between June 14 and June 18. Reddit became aware of the attack on June 19 and says it has since mitigated the threat and rolled out improved systems and processes to prevent it from happening again.
Reddit uses two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure, but Reddit said SMS-based authentication, which was targeted by the attacker, is "not nearly as secure" as the company thought.
"We point this out to encourage everyone here to move to token-based 2FA," the company said.
SMS hijacking is an increasingly common mode of attack, and critics of SMS 2FA will argue that it's actually a two-step verification process, which is considerably weaker than 2FA via a physical security key.
In terms of what exactly was accessed, Reddit said attackers obtained read-only access to systems, source code and other logs. This includes a complete copy of an old database backup of Reddit user data from the site's launch in 2005 through May 2007. It contained account credentials, email addresses and all content, including private messages.
"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems," the company said.
Reddit is contacting affected users and requiring password changes for anyone still using the same password from 11 years ago.
PREVIOUS AND RELATED COVERAGE:
It has taken some time, but the website is finally offering enhanced security for Reddit accounts.
Subreddits which "glorifies or incites" violence against people or animals are being closed down.
The social network isn't saying who's behind the campaign, noting that it doesn't have the technical evidence at this time to confidently point a finger.