An official update posted by Reddit reveals that an attacker broke into a few systems on the company’s network and stole user data. The theft consisted of a 2007 database backup containing salted hashed passwords along with “some” current email addresses. Reddit is currently working with law enforcement as they investigate the breach.
According to Reddit, the leaked database backup includes usernames and salted hashed passwords used between the site’s launch in 2005 through May 2007. It also includes email addresses, public content and private messages. Reddit users with data contained in this backup will be notified to reset their passwords. Those who created a Reddit account after May 2007 are not affected in this specific portion of the breach.
If you’re not familiar with the “hash” term, hashing converts a password into a value with a fixed length that cannot be reversed without lots of computing power. “Salting” means throwing an additional, random secret value into a password so that hackers can’t use dictionary attacks. Servers create a new randomly-generated salt for each password and hashes them together using cryptography.
Reddit also said the attacker gained access to email digests from noreply@redditmail.com sent between June 3 and June 17, 2018. As shown above, the digests connect usernames to email addresses and also highlights subscribed subreddits. Those who don’t associate their email address to their Reddit account and/or unchecked the “email digests” option in their account are not affected.
Still, that’s not all. Because the hacker had read access to Reddit’s storage systems, the attacker obtained source code, internal logs, configuration files and employee workspace files. On the end-user side, the 2007 database and email digests were the source of the attacker’s treasure trove.
How did the attacker infiltrate Reddit? Through “a few” compromised employee accounts tied to Reddit’s cloud and source code hosting providers. These accounts were protected by two-factor authentication through SMS messaging, which isn’t the most secure form of credential verification. Reddit suggests everyone move to token-based two-factor authentication like facial recognition, fingerprint scanning, and USB-based keys.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company reports. “They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”
Reddit discovered the breach on June 19, which took place between June 14 and June 18. After discovering the breach, Reddit worked with its cloud and source code hosting partners to understand what the attacker accessed. The company also reported the hack to law enforcement and began messaging user accounts. Reddit took additional steps to better secure its network as well.
Reddit suggests that users reconsider their passwords if they’ve been in use for years on the site and/or elsewhere. Reddit also suggests using strong, unique passwords and authenticator apps to take advantage of the site’s two-factor authentication feature.
