SACRAMENTO (CBS13) – A hacker accessed Reddit and stole some user data, including email addresses and a 2007 database containing old salted and hashed passwords and content.
The hacker also accessed the logs containing email digests from June 3-17, 2018. Those digests “connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.”
Reddit says the hacker got into several employee accounts through the Reddit cloud and source code hosting providers between June 14 and 18. Reddit became aware of the breach on June 19.
In today’s notice, Reddit wrote: “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
Reddit did say the hacker didn’t gain access to its systems, but did gain read-only access to some systems that stored backup data, source code, and other logs.
Click HERE to see if you’re affected.
Reddit is sending an email to affected users and telling them to reset passwords. It’s also advising users: “If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.”
The site also alerted law enforcement about the breach and are cooperating with the investigation. It’s also taken measures to secure additional points of “privileged access.”