Reddit hack: user data from 2005 to 2007 accessed

Shutterstock.com

• Reddit said it was hacked in June and that personal
  information of some users, including email addresses and
  private messages, were accessed.
• The hack affected people who used Reddit between 2005,
  when the site was created, to 2007.

---

Reddit, the popular discussion and forum website,
said on Wednesday that hackers managed to break into its
computer systems and gain access to private messages, email
addresses and other personal information belonging to some of its
early users.

The hackers obtained access to a database that contained personal
information of Reddit users who joined the service between 2005,
when the site was created, and 2007. 

The cyber attack occurred between June 14 and June 18, when
hackers “compromised a few of our employees’ accounts with our
cloud and source code hosting providers,” Reddit said, and its
website administrators realized the hack occurred on June 19.

Reddit is one of the world’s most popular websites, comprised of
thousands of smaller “subreddit” communities for a variety of
interests. However, Reddit often finds itself under scrutiny for
all the wrong reasons, as its more toxic subreddits regularly
engage in racist, misogynistic, and other kinds of bad behavior.

Specifically, that data includes usernames ,
“salted hashed passwords, email
addresses, and all content (mostly public, but also private
messages).” The salted hashed passwords means the passwords that
were compromised aren’t the passwords that users actually
use. 

The hack doesn’t involve data from users who signed up
after 2007. However, to be sure, it’s best to change your Reddit
password and activate two-factor authentication. 

For those who signed up between 2005 and 2007, Reddit will
make you reset your password. And if you use your Reddit password
on other sites and accounts, Reddit suggests you change those
passwords, too. 

Reddit’s statement of the incident is in full below:

TL;DR: A hacker broke into a few of Reddit’s systems and
managed to access some user data, including some current email
addresses and a 2007 database backup containing old salted and
hashed passwords. Since then we’ve been conducting a painstaking
investigation to figure out just what was accessed, and to
improve our systems and processes to prevent this from happening
again.

What happened?

On June 19, we learned that between June 14 and June 18, an
attacker compromised a few of our employees’ accounts with our
cloud and source code hosting providers. Already having our
primary access points for code and infrastructure behind strong
authentication requiring two factor authentication (2FA), we
learned that SMS-based authentication is not nearly as secure as
we would hope, and the main attack was via SMS intercept. We
point this out to encourage everyone here to move to token-based
2FA.

Although this was a serious attack, the attacker did not gain
write access to Reddit systems; they gained read-only access to
some systems that contained backup data, source code and other
logs. They were not able to alter Reddit information, and we have
taken steps since the event to further lock down and rotate all
production secrets and API keys, and to enhance our logging and
monitoring systems.

Now that we’ve concluded our investigation sufficiently to
understand the impact, we want to share what we know, how it may
impact you, and what we’ve done to protect us and you from this
kind of attack in the future.

What information was involved?

Since June 19, we’ve been working with cloud and source code
hosting providers to get the best possible understanding of what
data the attacker accessed. We want you to know about two key
areas of user data that was accessed:

All Reddit data from 2007 and before including
account credentials and email addresses

What was accessed: A complete copy of an old database backup
containing very early Reddit user data — from the site’s launch
in 2005 through May 2007. In Reddit’s first years it had many
fewer features, so the most significant data contained in this
backup are account credentials (username + salted hashed
passwords), email addresses, and all content (mostly public, but
also private messages) from way back then.

How to tell if your information was included: We are sending
a message to affected users and resetting passwords on accounts
where the credentials might still be valid. If you signed up for
Reddit after 2007, you’re clear here. Check your PMs and/or email
inbox: we will be notifying you soon if you’ve been
affected.

Email digests sent by Reddit in June
2018

What was accessed: Logs containing the email digests we sent
between June 3 and June 17, 2018. The logs contain the digest
emails themselves — they look like this. The digests connect a
username to the associated email address and contain suggested
posts from select popular and safe-for-work subreddits you
subscribe to.

How to tell if your information was included: If you don’t
have an email address associated with your account or your “email
digests” user preference was unchecked during that period, you’re
not affected. Otherwise, search your email inbox for emails from
[email protected] between June 3-17, 2018.

As the attacker had read access to our storage systems, other
data was accessed such as Reddit source code, internal logs,
configuration files and other employee workspace files, but these
two areas are the most significant categories of user data.

What is Reddit doing about it?

Some highlights. We:

Reported the issue to law enforcement and are cooperating
with their investigation.

Are messaging user accounts if there’s a chance the
credentials taken reflect the account’s current password.

Took measures to guarantee that additional points of
privileged access to Reddit’s systems are more secure (e.g.,
enhanced logging, more encryption and requiring token-based 2FA
to gain entry since we suspect weaknesses inherent to SMS-based
2FA to be the root cause of this incident.)

What can you do?

First, check whether your data was included in either of the
categories called out above by following the instructions
there.

If your account credentials were affected and there’s a
chance the credentials relate to the password you’re currently
using on Reddit, we’ll make you reset your Reddit account
password. Whether or not Reddit prompts you to change your
password, think about whether you still use the password you used
on Reddit 11 years ago on any other sites today.

If your email address was affected, think about whether
there’s anything on your Reddit account that you wouldn’t want
associated back to that address. You can find instructions on how
to remove information from your account on this help page.

And, as in all things, a strong unique password and enabling
2FA (which we only provide via an authenticator app, not SMS) is
recommended for all users, and be alert for potential phishing or
scams.