To say that Reddit is very popular would be an understatement. The website currently clocks in at number five on Alexa so it definitely has no shortage of users. Although that makes it one of the most visited platforms around, it also makes a prime target for hackers. There have been several hacking attempts on Reddit in the past but the most recent one seems a bit more serious than usual.
Reddit CTO Christopher Slowe confirmed in a post on Wednesday that a data breach occurred between June 14 and June 18. The company only learned about it the following day on June 19 but needed a bit of time to assess the damage before announcing what was stolen. As it turns out, the hacker got away with a fair amount of sensitive personal data. Consequently, millions of Reddit accounts were compromised and now the company is doing what it can to reverse the damage.
According to Slowe, the attacker’s first targets were several accounts owned by Reddit employees. These accounts were reportedly protected by two-factor authentication (2FA) via SMS but the hacker was able to gain access to them anyway. In fact, the hacker managed to intercept the messages containing the authentication codes before they reached the employees. Hence, gaining access to the target accounts was actually pretty easy. In light of this incident, the CTO advises users to drop SMS-based 2FA in favor of token-based 2FA.
What Did the Hacker Get Away With?
As for what was stolen, Slowe revealed that the hacker got his hands on one of Reddit’s oldest databases. The backup contained data of all users created between Reddit’s launch in 2005 and May 2007. This means account credentials like usernames and passwords, email addresses, and messages. The database contained not only public messages but also private ones, which were stolen as well.
In addition to the old database, the hacker was also able to access more recent information. Specifically, all Reddit email digests sent out between June 3-17 were compromised. These logs don’t contain a lot of crucial data but they do show the usernames associated with each email address that received the digests. They also show some of the subreddits the users are subscribed to.
What is Reddit Doing About It?
Reddit has already taken steps to fix the situation as best as it can. The company is sending messages to every email address associated with accounts that may have been compromised by the data breach. If your account is among them, your password will be automatically reset so you’ll need to choose a new one. If you don’t receive an email from Reddit in the next few days your account is probably fine.
Slower says that Reddit is currently working together with law enforcement to apprehend the hacker. In the meantime, it might be a good idea to change your password and activate token-based 2FA just to be safe.