Reddit Hacked – Attackers Steal a Complete Copy of an Old Database Backup After Compromising Employee Accounts
Reddit has just disclosed a security breach of its systems that has resulted in the hackers accessing some user data, including current email addresses and a 2007 database containing usernames and passwords. Passwords were salted and hashed.
The company revealed that it learned about the incident on June 19 that an attacker had managed to compromise a few employee accounts between June 14 and June 18. "Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company revealed, adding into the much-needed ongoing push into encouraging employees to move away from SMS-based 2FA system.
"We point this out to encourage everyone here to move to token-based 2FA."
Reddit said that while the attack was "serious," attackers only managed to get read access, not the write access to Reddit systems. This access was achieved on some systems that contained backup data from 2007, source code and other logs.
They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.
Following data was accessed during Reddit security breach
- All Reddit data from 2007 and before, including account credentials and email addresses. Attackers had access to the complete copy of this old database, which carried information on users that the company had from its launch in 2005 to 2007. While the impact would be on a few users, this backup contained not only usernames and passwords, but also private messages. Note: you are not affected if you joined Reddit after 2007.
- Email digests sent by Reddit in June 2018: this means email addresses and associated usernames of users were accessed. Reddit said if you don’t have an email address associated with your account or your “email digests” user preference was unchecked during June 3-17, 2018 you’re not affected.
Attackers also took away some other data, including employee files but users only appear to be affected in the above two areas.
The company has reported the security breach to law enforcement and has started the process to notify the affected users. The company has said that "if there’s a chance the credentials taken reflect the account’s current password," it will make you reset your Reddit account password.
Even if Reddit doesn't notify you and you have been using the same password since 2007, it is probably better to reset it anyway, since by now it may have made its way to a number of dumped databases. Reddit has encouraged users to enable two factor authentication using an authenticator app.