Reddit says hackers breached its systems, some user data compromised

Compromised user data includes some current email addresses and salted and hashed passwords from a 2007 database backup.
Written by Natalie Gagliordi, Contributor

Video: Reddit plans Ethereum and Litecoin support with crypto relaunch

Reddit has disclosed a breach of its systems that compromised user data including some current email addresses and salted and hashed passwords from a 2007 database backup.

On Wednesday, the web content aggregation platform notified users that a hacker gained access to several employee accounts via SMS intercept between June 14 and June 18. Reddit became aware of the attack on June 19 and says it has since mitigated the threat and rolled out improved systems and processes to prevent it from happening again.

Reddit uses two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure, but Reddit said SMS-based authentication, which was targeted by the attacker, is "not nearly as secure" as the company thought.

Read also: Two-factor authentication: How and why to use it - CNET

"We point this out to encourage everyone here to move to token-based 2FA," the company said.

SMS hijacking is an increasingly common mode of attack, and critics of SMS 2FA will argue that it's actually a two-step verification process, which is considerably weaker than 2FA via a physical security key.

In terms of what exactly was accessed, Reddit said attackers obtained read-only access to systems, source code and other logs. This includes a complete copy of an old database backup of Reddit user data from the site's launch in 2005 through May 2007. It contained account credentials, email addresses and all content, including private messages.

Read also: This company can hack every iPhone in the world - TechRepublic

"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems," the company said.

Reddit is contacting affected users and requiring password changes for anyone still using the same password from 11 years ago.

These are 2018's biggest hacks, leaks, and data breaches


Reddit enables two-factor authentication

It has taken some time, but the website is finally offering enhanced security for Reddit accounts.

Reddit begins crackdown on content which 'glorifies' violence

Subreddits which "glorifies or incites" violence against people or animals are being closed down.

Facebook reveals new covert efforts to sway 2018 midterm elections

The social network isn't saying who's behind the campaign, noting that it doesn't have the technical evidence at this time to confidently point a finger.

Editorial standards