Reddit has revealed that it was recently hacked.
It emailed users and published a post on 1 August to announce that a hacker broke into its systems and accessed user data, including current email addresses and a 2007 database backup with old usernames and passwords that were scrambled (or "salted and hashed") for protection. That means the affected users are mostly people who joined the site in 2007 or earlier. Here's what you need to know?
- 52 of the best tech life hacks
- The Dixons Carphone data breach is way worse than we realized
- Currys PC World admits massive data breach involving
When was Reddit hacked?
According to Reddit, it learned on 19 June that between 14 June and 18 June an attacker broke into a few of its systems.
What did the hacker access?
Reddit said the hacker "compromised a few employees’ accounts with our cloud and source code hosting providers" and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.
The hacker saw backup data, source code, and other employee logs in Reddit systems, but it could not change any of that. The hacker was also able to see private and public messages posted from 2005 to 2007. The hacker was further able to read the June 2018 email digest, meaning he or she could see users’ email addresses and the subreddits they followed.
One Reddit user noted that it's possible the hacker could piece together a Redditor’s username from looking at their email address, too.
Do you need to do anything?
Reddit is recommending that users - who may still be using passwords similar to the ones they had in 2007 - change their password on Reddit and other sites. The company is also encouraging users to enable token-based two-factor authentication through Authy, Google’s Authenticator, or a similar service. Reddit had required two-factor authentication on its accounts, but the hacker intercepted the SMS verification:
"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."
- Amazon adds two-step verification: Here's how to enable it
- Snapchat finally adds two-factor authentication
- How to enable WhatsApp's two-step verification
What is Reddit doing now?
Reddit contacted law enforcement. It is also conducting an investigation to figure out just what was accessed, plans to improve its systems and processes to prevent this from happening again. Lastly, Reddit said it is sending emails to users affected by the database hack, which does not impact people who signed up for Reddit after 2007. Reddit will be resetting the passwords of affected users.
Want to know more?
Here are some guides on how to change your Reddit password and enable token-based two factor: