Attacker stole user data from Reddit through employee accounts

reddit threads nazi hitler mentions home page
GongTo/Shutterstock

An official update posted by Reddit reveals that an attacker broke into a few systems on the company’s network and stole user data. The theft consisted of a 2007 database backup containing salted hashed passwords along with “some” current email addresses. Reddit is currently working with law enforcement as they investigate the breach.

According to Reddit, the leaked database backup includes usernames and salted hashed passwords used between the site’s launch in 2005 through May 2007. It also includes email addresses, public content and private messages. Reddit users with data contained in this backup will be notified to reset their passwords. Those who created a Reddit account after May 2007 are not affected in this specific portion of the breach.

If you’re not familiar with the “hash” term, hashing converts a password into a value with a fixed length that cannot be reversed without lots of computing power. “Salting” means throwing an additional, random secret value into a password so that hackers can’t use dictionary attacks. Servers create a new randomly-generated salt for each password and hashes them together using cryptography.

reddit attacker gained 2007 database recent emails digest email sample

Reddit also said the attacker gained access to email digests from noreply@redditmail.com sent between June 3 and June 17, 2018. As shown above, the digests connect usernames to email addresses and also highlights subscribed subreddits. Those who don’t associate their email address to their Reddit account and/or unchecked the “email digests” option in their account are not affected.

Still, that’s not all. Because the hacker had read access to Reddit’s storage systems, the attacker obtained source code, internal logs, configuration files and employee workspace files. On the end-user side, the 2007 database and email digests were the source of the attacker’s treasure trove.

How did the attacker infiltrate Reddit? Through “a few” compromised employee accounts tied to Reddit’s cloud and source code hosting providers. These accounts were protected by two-factor authentication through SMS messaging, which isn’t the most secure form of credential verification. Reddit suggests everyone move to token-based two-factor authentication like facial recognition, fingerprint scanning, and USB-based keys.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” the company reports. “They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

Reddit discovered the breach on June 19, which took place between June 14 and June 18. After discovering the breach, Reddit worked with its cloud and source code hosting partners to understand what the attacker accessed. The company also reported the hack to law enforcement and began messaging user accounts. Reddit took additional steps to better secure its network as well.

Reddit suggests that users reconsider their passwords if they’ve been in use for years on the site and/or elsewhere. Reddit also suggests using strong, unique passwords and authenticator apps to take advantage of the site’s two-factor authentication feature.

Mobile

Motiv smart ring can use your walking pattern to unlock online accounts

Remember Motiv's activity tracking smart ring? It's back with a raft of new features that adds biometric identification and token authentication, all on a device that fits on your finger.
Social Media

Save me: How to download Instagram photos from any device

Browsing photos in Instagram is one thing, but saving them is another. Until recently, it wasn't easy to get your photos off the 'gram and saved elsewhere. But Instagram has recently launched a tool that lets you download all of your…
Emerging Tech

You’re so vein: Palm-based biometric system could help confirm your identity

Move over, Face ID! The next biometric security systems could rely on analyzing the unique vein patterns in your palm print. Here are some of the ways the technology could prove useful.
Social Media

Tumblr promises it fixed a bug that left user data exposed

A bug on blogging site Tumblr left user data exposed. The company says that once it learned of the flaw, it acted quickly to fix it, adding that it's confident no data linked to its users' accounts was stolen.
Emerging Tech

Looking for a good read? Here are the best, most eye-opening books about tech

Sometimes it's sensible to put down the gadgets and pick up a good old-fashioned book -- to read about the latest gadgets, of course. Here are the tech books you need to check out.
Gaming

The 'Fallout 76' beta starts tomorrow! Here's when it starts and how to join

Want to get into Bethesda's Fallout 76 beta? We don't know when the program will launch, but we provide instructions on how to get ready. The game officially launches on November 14.
Computing

Samsung’s HMD Odyssey Plus gives you a clearer view into the virtual world

Samsung's refreshed HMD Odyssey+ promises to make Windows Mixed Reality experiences better by eliminating pixelated views caused by screen doors. The $500 headset also focuses on comfort this year with ergonomic improvements.
Computing

Intel denies rumors that 10nm Cannon Lake CPUs have been canned

Intel's long-in-development and oft-delayed, Cannon Lake 10nm CPU design has reportedly been canceled. Intel is denying the rumor, but if true, it could push back the release of new Intel chips by a long time.
Computing

Not to be outdone, Samsung says it’s making a laptop with a foldable display

Samsung announced that it is also working on a dual-screen computer. But rather than using two separate display panels, Samsung said that its novel laptop will come with a large flexible display that can fold when closed.
Photography

Free your digital memories, and frame them, with the best photo printers

Printed photos are experiencing a revival at the moment, but you don’t need to go to a special lab. Here’s our favorite options for making quality prints, from pocket-sized printers to wide-format photo printers capable of spitting out…
Computing

A new bug in the Windows 10 October 2018 Update could delete your files

The Windows 10 October 2018 Update has been on a rough path and in the latest set of issues, a new bug is impacting native zip file operations, potentially leading to overwritten files in some instances. 
Computing

Antivirus software has evolved a lot recently, and we need it more than ever

Everyone says you need it, but really is antivirus software, and how does it work? It depends on who you ask as different digital security companies employ different techniques to combat the latest malware threats.
Computing

Nvidia’s new GTX 1060 6GB could counter AMD’s rumored RX 590

Nvidia's GTX 1060 is about to get more powerful for new buyers, as the green team has introduced a new version with GDDR5X memory at its disposal. This could prove competitive with AMD's rumored RX 590.
Computing

A canceled education order is increasing hopes for new Macbook model

With Apple's October 30 event fast approaching, rumors continue to surface about new Macs and iPad models. In the latest news, a canceled education order is stoking hopes for a new MacBook model.