Reddit's August 2018 security incident: What you need to know

  • Reddit's August 2018 security incident: What you need to know

Reddit's August 2018 security incident: What you need to know

The popular news aggregator website Reddit has revealed that it suffered a data breach between June 14 and 18.

Reddit has disclosed a breach of its systems that compromised user data including some current email addresses and salted and hashed passwords from a 2007 database backup.

Reddit said the hacker performed an SMS intercept attack for the phone numbers of some of its employees and intercepted the 2FA codes necessary to access the employees' accounts. Although two-factor authentication was set in place, it was done so via SMS and the attacker in question was able to capture the codes using an SMS intercept attack.

Hackers were able to access logs relating to the site's email digest function, a service that sends a daily email containing the latest updates from the sections a user follows, known as subreddits.

During the mid-June intrusion, the hacker accessed an old backup of Reddit that contained user data such as hashed passwords from 2007.

The company is sending a message to affected users and resetting passwords on accounts where the credentials might still be valid.

Regarding email digest access, you're in the clear if you don't have an email address attached to your account or if you did not have the "email digests" user preference selected during this time. But, as Reddit writes, this text-based form of two-step authentication is "not almost as secure as we would hope".

Reddit screen on a person's phone in a hand

"When Reddit started using SMS for two-factor authentication in 2005 it was a best practice, but over the past 15 years, smartphones have become the primary user device and hackers have migrated their focus and efforts to taking advantages of weaknesses in areas that were once very limited in their nature", he said.

Reddit's response to the breaches has been met with some criticism within the security community.

If you were subscribed to the email digests and don't want data related to that account to be traced back to your email address, Reddit recommended you check the help page for how to remove that information. The logs specifically contained email digests sent between June 3 and June 17.

Reddit assures us that it's taken preventative steps to secure the site from additional attacks, as well as rotating all production secrets and API keys.

The company has already reported what happened to law enforcement and is cooperating with an investigation.

So, regardless of whether or not you've got an email from Reddit it might be an idea to change your password.

One Reddit user noted that it's possible the hacker could piece together a Redditor's username from looking at their email address, too.