According to chief technology officer Christopher Slowe, Reddit—the fifth-most trafficked website in the U.S.—suffered a data breach at the hands of a hacker or a group of hackers between June 14 and June 18. Veteran users of the “frontpage of the internet” should consider securing their accounts.
In a post to r/announcements, Slowe explains that while Reddit employees use two-factor authentication to secure their credentials to the site, the attack relied on intercepting text messages that were supposed to reach those employees containing single-use login codes. “We learned that SMS-based authentication is not nearly as secure as we would hope,” Slowe wrote.
While the site’s systems remained inaccessible to the attacker(s), “they gained read-only access to some systems that contained backup data, source code and other logs.” The site is taking measures to tighten its security.
Unfortunately, the hacker(s) did managed to exfiltrate a few things. Among them, a batch of old user data spanning from the site’s launch in 2005 to May 2007. Although the passwords contained in the data were hashed and salted, the user data also included messages, both private and public, usernames, and associated email addresses.
Subscribers to Reddit email digests during June of this year are also included in Slowe’s post—meaning the email address those digests were delivered to and the connected usernames were also accessed. According to Slowe, all affected users will receive an email and will be prompted to change their passwords.
Whether or not you received such an email, it’s still a good a time as any to consider turning on two-factor identification—using an authenticator app, rather than SMS—on your Reddit account. That feature can be toggled on in your preferences under the “password/email” tab.
We’ve reached out to Reddit for additional information about this hack and will update if we hear back.