Reddit caused a big stir on the internet today when it revealed that a hacker managed to break into its systems and steal user data. However, it’s refusing to reveal the scale of the breach and is not contacting everyone affected.
As per Reddit’s post, an attacker targeted some of its employee accounts between June 14 and June 18. The hacker blew past the two factor authentication (2FA) stage with an SMS intercept. The company is encouraging folks out there to switch to token-based 2FA because of this misstep since SMSes clearly aren’t as safe as they should be.
Reddit claims the hostile actor just got read-only access to its systems and didn’t alter any information. Two main areas of user data were breached. The first covers all Reddit data from the site’s launch in 2005 till May 2007 including email IDs, content (public and private messages), usernames, and salted hashed passwords.
Reddit Data Hack Extent
This is huge and people should be on high alert if they signed up for Reddit before 2007. The company is in the process of sending messages and emails to the victims and resetting passwords on accounts where the credentials are still valid.
The second area concerns email digests sent between June 3 and June 17 this year. Reddit sends out these missives to subscribers routinely. The digests themselves aren’t the problem, but the fact that they connect a username to an email address is.
Strangely enough, Reddit isn’t informing the people affected by this second breach. Instead, it’s asking them to check their email inbox for mails from “[email protected]” between the aforementioned dates.
Asking users to check if they got affected by this exposure rather than informing them directly is a counterproductive move. After all, not everyone will be aware of the incident and proactively check their inbox.
Anyone who doesn’t have an email address associated with their account or their “email digests” user preference was unchecked during the attack period won’t be affected. For now, Reddit has reported the hack to law enforcement and is fortifying its security with enhanced logging, more encryption, and token-based 2FA.
On the user’s side, it would be a good idea to enable 2FA and change your password on other sites if you used the same passcode elsewhere. Also, look into removing your Reddit account information here if your email ID was exposed in the second leak.