Reddit today revealed that back in June, it suffered a data breach where hackers got access to some non-sensitive data including old databases, and other technical stuff including internal logs, configuration files, employee data, and the website’s source code. The company has now concluded its investigation over the matter and has issued some advice for users.
While the breach was discovered on June 19, it is expected to have taken place between June 14 and 18. Reddit CTO Chris Slowe aka u/KeyserSosa posted in the announcements subreddit, detailing the likely cause and impact of the breach.
Slowe revealed that the systems which stored this information were protected by SMS-based two-factor authentication and “the main attack” took place through interception of 2FA SMSes. This is why Slowe insists that every user must adopt token-based 2FA, which can be accomplished using apps such as Google’s Authenticator.
The hacker only gained read access to Reddit’s servers and was unable to modify any of its internal files. Further, Slowe added that Reddit has taken certain steps to “lock down and rotate all production secrets and API keys” as well as make the logging systems more secure.
The data that was stolen includes the usernames and “salted” or modified passwords from 2007 and before. While the likeliness of users not having changed their passwords since 2007 is very low, Reddit said that it will be conveying the potentially affected users via a private message and/or email.
The hackers also stole the list of emails of the users who have subscribed for regular updates or email digests from Reddit. Since the emails also contain usernames which means that if you’re one of the recipients, make sure you turn on 2FA for your account to prevent it from being sabotaged. Here’s how to do it.
Reddit will also be prompting you to update your password in case there is a possibility of your credentials being stolen. Meanwhile, Slowe recommends every user to switch to token-based authentication instead of SMS verification.