What You Need to Do Next

Share

"If your account credentials were affected and there's a chance the credentials relate to the password you're now using on Reddit, we'll make you reset your Reddit account password", said Reddit administrator KeyserSosa.

The data breach took place between 14 June and 18 June, when as-yet-unknown culprits accessed employee accounts through an SMS intercept attack, Reddit's chief technology officer Christopher Slowe said in a post to r/announcements. The hackers broke in using compromised employee accounts that were protected using SMS two-factor authentication. This leak also contained an old database backup that covered the years 2005, 2006, and 2007.

Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. In addition, some sites that do support more robust, app- or key-based two-factor authentication still allow customers to receive SMS-based codes as a fallback method.

But the hacker did get "read access", which Reddit says he used to download a copy of an older Reddit site backup from May 2007.

The fact the attackers also gained access to some Reddit source code nearly feels like a small loss even though that is anything but the case.

None of that's great, but thankfully, Reddit's already working to make sure any potentially affected users are protected.

National Archives Says Kavanaugh Doc Request Could Go On Through October
The documents could be produced earlier via a separate source: the Bush presidential library, which is conducting its own review. Still, a spokesperson for Chairman Chuck Grassley (R-IA) said he still plans on holding confirmation hearings in September.

But it's the second part of the breach which could affect a far larger amount of people, and may have serious consequences for those who use Reddit under a pseudonym.

Are messaging user accounts if there's a chance the credentials taken reflect the account's current password. Not only that but email digests sent in June 2018 were also accessed.

One Reddit user noted that it's possible the hacker could piece together a Redditor's username from looking at their email address, too.

"Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim's cellular provider and convinced them to transfer the phone number to a new SIM". Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept.

Most of the other data accessed is on the Reddit backend, so there isn't expected to be other compromised user data. If you meet the criteria mentioned in the full breakdown, you should probably change your Reddit password - and you should probably look into two-factor authentication, either way.

Reddit announced today that its systems had been hacked at some point earlier this summer.

Share