Skip to main content

Attacker stole user data from Reddit through employee accounts


An official update posted by Reddit reveals that an attacker broke into a few systems on the company’s network and stole user data. The theft consisted of a 2007 database backup containing salted hashed passwords along with “some” current email addresses. Reddit is currently working with law enforcement as they investigate the breach.

According to Reddit, the leaked database backup includes usernames and salted hashed passwords used between the site’s launch in 2005 through May 2007. It also includes email addresses, public content and private messages. Reddit users with data contained in this backup will be notified to reset their passwords. Those who created a Reddit account after May 2007 are not affected in this specific portion of the breach.

Related Videos

If you’re not familiar with the “hash” term, hashing converts a password into a value with a fixed length that cannot be reversed without lots of computing power. “Salting” means throwing an additional, random secret value into a password so that hackers can’t use dictionary attacks. Servers create a new randomly-generated salt for each password and hashes them together using cryptography.

Reddit also said the attacker gained access to email digests from sent between June 3 and June 17, 2018. As shown above, the digests connect usernames to email addresses and also highlights subscribed subreddits. Those who don’t associate their email address to their Reddit account and/or unchecked the “email digests” option in their account are not affected.

Still, that’s not all. Because the hacker had read access to Reddit’s storage systems, the attacker obtained source code, internal logs, configuration files and employee workspace files. On the end-user side, the 2007 database and email digests were the source of the attacker’s treasure trove.

How did the attacker infiltrate Reddit? Through “a few” compromised employee accounts tied to Reddit’s cloud and source code hosting providers. These accounts were protected by two-factor authentication through SMS messaging, which isn’t the most secure form of credential verification. Reddit suggests everyone move to token-based two-factor authentication like facial recognition, fingerprint scanning, and USB-based keys.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company reports. “They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

Reddit discovered the breach on June 19, which took place between June 14 and June 18. After discovering the breach, Reddit worked with its cloud and source code hosting partners to understand what the attacker accessed. The company also reported the hack to law enforcement and began messaging user accounts. Reddit took additional steps to better secure its network as well.

Reddit suggests that users reconsider their passwords if they’ve been in use for years on the site and/or elsewhere. Reddit also suggests using strong, unique passwords and authenticator apps to take advantage of the site’s two-factor authentication feature.

Editors' Recommendations

Firefox just got a great new way to protect your privacy
Canva in Firefox on a MacBook.

If you’re fed up with signing up for new accounts online and then being perpetually spammed in the days and weeks after, Mozilla has an idea that could help. The company has just announced its Firefox Relay feature is being directly integrated into its Firefox web browser, and it could help guarantee your privacy without any extra hassle.

Firefox Relay works by letting you create email “masks” when you sign up for new accounts. Instead of entering your real credentials into the sign-up field, Firefox Relay provides you with a throwaway address and phone number to use. Any messages from the website -- such as purchase receipts -- are then forwarded to your real email address, with all the sender’s tracking information stripped out to protect your privacy.

Read more
The most common Chromebook problems and how to fix them
A person working on a Toshiba Chromebook.

Chromebooks are great alternatives to MacBooks and Windows 10 laptops, but they aren’t perfect. Any laptop computer is bound to have issues, and some of the most common problems faced by Chromebook users can feel difficult or even impossible to solve on their own. 

From issues with updates to internet connectivity, troubleshooting common Chromebook problems doesn’t have to ruin your day. Read on to discover easy fixes for the most frequent issues Chromebook users face. 
The Diagnostics app

Read more
Ranking all 12 versions of Windows, from worst to best
Windows 7 desktop.

You can tell a person's age by which version of Windows is their favorite. I have fond memories of XP and Windows 98 SE, so you can take a guess at mine, but I have colleagues who are much more enamored with Windows 7, or Windows 95. We all have something disparaging to say about Windows 8 though, and the less said about Windows Vista the better.

Ranking the different versions of Windows is about more than what era of computing you grew up in, though. There are some very serious duds in Microsoft's back catalog, just as there are a few wins too. But whether you can look back on some of Microsoft's disastrous releases with rose-tinted glasses, or have some genuine love for Microsoft's missteps, here's every version of Windows ranked from best to worst.
12. Windows ME

Read more