Attacker stole user data from Reddit through employee accounts

reddit threads nazi hitler mentions home page
GongTo/Shutterstock

An official update posted by Reddit reveals that an attacker broke into a few systems on the company’s network and stole user data. The theft consisted of a 2007 database backup containing salted hashed passwords along with “some” current email addresses. Reddit is currently working with law enforcement as they investigate the breach.

According to Reddit, the leaked database backup includes usernames and salted hashed passwords used between the site’s launch in 2005 through May 2007. It also includes email addresses, public content and private messages. Reddit users with data contained in this backup will be notified to reset their passwords. Those who created a Reddit account after May 2007 are not affected in this specific portion of the breach.

If you’re not familiar with the “hash” term, hashing converts a password into a value with a fixed length that cannot be reversed without lots of computing power. “Salting” means throwing an additional, random secret value into a password so that hackers can’t use dictionary attacks. Servers create a new randomly-generated salt for each password and hashes them together using cryptography.

reddit attacker gained 2007 database recent emails digest email sample

Reddit also said the attacker gained access to email digests from noreply@redditmail.com sent between June 3 and June 17, 2018. As shown above, the digests connect usernames to email addresses and also highlights subscribed subreddits. Those who don’t associate their email address to their Reddit account and/or unchecked the “email digests” option in their account are not affected.

Still, that’s not all. Because the hacker had read access to Reddit’s storage systems, the attacker obtained source code, internal logs, configuration files and employee workspace files. On the end-user side, the 2007 database and email digests were the source of the attacker’s treasure trove.

How did the attacker infiltrate Reddit? Through “a few” compromised employee accounts tied to Reddit’s cloud and source code hosting providers. These accounts were protected by two-factor authentication through SMS messaging, which isn’t the most secure form of credential verification. Reddit suggests everyone move to token-based two-factor authentication like facial recognition, fingerprint scanning, and USB-based keys.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company reports. “They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

Reddit discovered the breach on June 19, which took place between June 14 and June 18. After discovering the breach, Reddit worked with its cloud and source code hosting partners to understand what the attacker accessed. The company also reported the hack to law enforcement and began messaging user accounts. Reddit took additional steps to better secure its network as well.

Reddit suggests that users reconsider their passwords if they’ve been in use for years on the site and/or elsewhere. Reddit also suggests using strong, unique passwords and authenticator apps to take advantage of the site’s two-factor authentication feature.

Computing

Just when you thought spam was dead, it’s back and worse than ever

Spam emails might seem like an outdated way to spread malware, but in 2018 they are proving to be the most effective attack vector thanks to new techniques and tricks.
Photography

8 easy ways for you to transfer photos from an Android phone to a PC

If you haven't already, you should back up your photos to a computer. Here's how to transfer photos from an Android phone to a PC using third-party services and a wealth of storage devices.
Social Media

Instagram hackers are changing account info into Russian email addresses

Have you logged in to your Instagram lately? A hack circulating this month has Instagram users locked out of their accounts because a hacker changed all the profile data, according to a report.
Mobile

Apple says Group FaceTime will not be part of initial launch of iOS 12

At this year's Worldwide Developer Conference, Apple unveiled its latest operating system, iOS 12. From app updates to group FaceTime, ARKit 2.0, and more, here are all the new features in iOS 12.
Computing

Nvidia introduces its eighth-generation ‘Turing’ design, but not in gaming cards

Nvidia revealed its new graphics chip design called “Turing” during SIGGRAPH 2018. Rumored to be the foundation of Nvidia’s next family of GeForce cards, the company instead showcased Turing in Quadro RTX-branded cards for pros.
Home Theater

HDMI 2.0b is a whole lot more than just a connection to your TV

HDMI 2.0b is the backbone for many of the latest updates in 4K UHD technology. And while a new cable standard can often involve a bunch of changes for consumers, that is not the case this time around.
Computing

The browser-based Monero miner Coinhive generates around $250,000 each month

Despite a fall in cryptocurrency mining, the Coinhive Monero miner is still highly active, generating around $250,000 each month. Coinhive also contributes 1.18 percent of the total mining power behind the Monero blockchain.
Mobile

Want to watch Netflix in bed or browse the web? We have a tablet for everyone

There’s so much choice when shopping for a new tablet that it can be hard to pick the right one. From iPads to Android, these are our picks for the best tablets you can buy right now whatever your budget.
Deals

For work or for play, these are the 5 best laptop deals for college students

Whether you're getting ready for a new school year, shopping for a special student, or just need a new computer, we've got you covered: These are the five best laptop deals going right now, from discounted MacBooks to an on-the-go gaming…
Computing

Steam survey shows PC gamers are still mostly playing in 1080p and lower

Valve Software’s latest hardware and software survey for July 2reveals that 63.72 percent of Steam’s registered members still play games with a 1080p resolution. Even more, only 1.14 percent are playing at a 4K resolution.
Computing

The Andromeda botnet still lingers as nations struggle to clean infected PCs

A report by Fortinet suggests that although the FBI and Europe ended the Andromeda botnet’s reign in late 2017, there are still infected PCs. Cleaning up these PCs isn’t progressing at the same pace across various regions.
Computing

Windows 10 can split and resize windows with ease. Here's how to do it

Windows 10 is a great desktop operating system, and its many window management features are part of the reason why. Here's how to divvy up windows using Snap Assist and other native tools.
Computing

Apple AR glasses will launch in 2020, says respected industry analyst

Apple AR glasses may be closer to reality than we thought. Here is everything we know so far about the augmented reality system, including the rumored specifications of Apple's Project Mirrorshades.
Social Media

How to use Adobe Spark Post to spice up your social media images

Images are proven to get more likes than plain text -- but only if those images are good. Adobe Spark post is an AI-powered design program for non-designers. Here's how to use it to take your social media feeds to the next level.