An official update posted by Reddit reveals that an attacker broke into a few systems on the company’s network and stole user data. The theft consisted of a 2007 database backup containing salted hashed passwords along with “some” current email addresses. Reddit is currently working with law enforcement as they investigate the breach.
According to Reddit, the leaked database backup includes usernames and salted hashed passwords used between the site’s launch in 2005 through May 2007. It also includes email addresses, public content and private messages. Reddit users with data contained in this backup will be notified to reset their passwords. Those who created a
If you’re not familiar with the “hash” term, hashing converts a password into a value with a fixed length that cannot be reversed without lots of computing power. “Salting” means throwing an additional, random secret value into a password so that hackers can’t use dictionary attacks. Servers create a new randomly-generated salt for each password and hashes them together using cryptography.
Reddit also said the attacker gained access to email digests from firstname.lastname@example.org sent between June 3 and June 17, 2018. As shown above, the digests connect usernames to email addresses and also highlights subscribed subreddits. Those who don’t associate their email address to their
Still, that’s not all. Because the hacker had read access to Reddit’s storage systems, the attacker obtained source code, internal logs, configuration files and employee workspace files. On the end-user side, the 2007 database and email digests were the source of the attacker’s treasure trove.
How did the attacker infiltrate Reddit? Through “a few” compromised employee accounts tied to Reddit’s cloud and source code hosting providers. These accounts were protected by two-factor authentication through SMS messaging, which isn’t the most secure form of credential verification.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company reports. “They were not able to alter
Reddit discovered the breach on June 19, which took place between June 14 and June 18. After discovering the breach,
Reddit suggests that users reconsider their passwords if they’ve been in use for years on the site and/or elsewhere.
- LastPass vs. 1Password
- The best password managers for 2020
- How to secure your Alexa device
- How to prevent your Ring smart cameras from being hacked
- How to set up a VPN