Pierluigi Paganini August 01, 2018

Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

• All Reddit data from 2007 and before including account credentials and email addresses
  • What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
  • How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
• Email digests sent by Reddit in June 2018
  • What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
  • How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [[email protected]](mailto:[email protected]) between June 3-17, 2018.

Pierluigi Paganini

(Security Affairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]