News

Hackers break into Reddit's systems

Global online forum Reddit has revealed a hacker broke into a few of its systems accessing user data between 14 June and 18 June.

Samira Sarraf Aug 03rd 2018 A-A+

Global online forum Reddit has revealed a hacker broke into a few of its systems accessing user data between 14 June and 18 June.

According to an announcement issued on 2 August, current email addresses and a 2007 database backup containing old salted and hashed passwords have been accessed.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” according to Reddit.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

Reddit said that the hacker did not gain write access to its systems only read-only access to some systems that contained backup data, source code and other logs.

A complete copy of an old database backup containing early Reddit user data -- from the site’s launch in 2005 through May 2007 was accessed. 

According to Reddit the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

Also accessed were logs containing the email digests Reddit sent between 3 June and 17 June 2018. 

The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to. 

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data,” it said.

Reddit has reported the issue to law enforcement, it is letting users know and is taking measures to guarantee that additional points of privileged access to Reddit’s systems are more secure.