Popular social networking platform Reddit said that a hacker gained access to some user data, including the current email addresses and older 2007 database backup that had password (encrypted).
Reddit added that an old database backup that had information about early users of the platform since its launch in 2005 through May 2007 was access by the hacker.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” Reddit’s founding engineer Christopher Slowe wrote on Reddit.
Slowe said Reddit learned on June 19 an attacker compromised a few of its employees’ accounts between June 14 and June 18.
The breach was carried out by intercepting text messages that were meant to reach employees with one-time login codes, Reddit said, adding that it was notifying the affected users.
Slowe said the firm hired its first head of security nearly three months ago. “So far he hasn’t quit”.
What was accessed
Reddit says the hacker was able to access a copy of old database that had data of early Reddit users (from 2005 and 2007).
“In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then,” it said in a blog post.
“Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to,” the company added.
What Reddit is doing about it
While Reddit says it is sending messages to affected users and has reset passwords for them.
“We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected,” it added.
What should users do?
The first thing you can do is right now reset the password of your Reddit account. Also, if you were using the same password for other platforms, you should reset that too.
“First, check whether your data was included in either of the categories called out above by following the instructions there. If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today,” the company suggested.
“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page. And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams” it added.