Hacker Stole Reddit User Data from 2007 and Earlier
A bad actor was able to gain access to Reddit's systems through intercepting the two-factor SMS verification system.
- By Sydny Shepard
- Aug 02, 2018
Reddit, a popular aggregator of user rated content, informed its users that a hacker broke into some of its systems and accessed user data, including email addresses and a 2007 database that contained usernames and passwords that were already "salted and hashed" or scrambled for protection.
Reddit sent emails to all its affected users - mostly people who joined Reddit in 2007 or earlier. The hacker was able to read the email digests Reddit sent out in June 2018 as well, so they could see the users' email addresses and relevant, safe-for-work subreddits they followed.
Reddit is recommending users who may still be using passwords similar to the ones they had in 2007 to change their password on Reddit and other websites.
The company is also encouraging users to enable token-based two-factor authentication through a service like Authy or Google's Authenticator, as the hacker gained access to Reddit's systems through an SMS intercept attack.
Between June 14th and June 18th, the hackers compromised several Reddit employee's accounts through the company's cloud provider and source cost hosts. Reddit had required two-factor authentication on its accounts but the hacker intercepted the SMS verification and was able to gain access.
The hacker could see backup data, source code and other employee logs in Reddit systems, but did not have access to changing any of it.
By June 19, Reddit discovered the attack and began investigating the extent of the damage, while ramping up security measures. Reddit contacted law enforcement and is cooperating with their investigation.
Below is the message Reddit posted for its users:
We had a security incident. Here's what you need to know. from r/announcements
About the Author
Sydny Shepard is the Executive Editor of Campus Security & Life Safety.