Reddit discloses a data breach, a hacker accessed user data

Reddit is warning its users of a security breach, an attacker broke into the systems of the platform and accessed user data.

Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

All Reddit data from 2007 and before including account credentials and email addresses
- What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
- How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 2018
- What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
- How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.