Reddit has suffered a data breach compromising usernames, passwords and email addresses of groups of users, the site has confirmed. Although two-factor authentication was set in place, it was done so via SMS and the attacker in question was able to capture the codes using an SMS intercept attack.
Reddit users might believe they are relatively anonymous as they need to provide only a username and email address to sign up for an account, but Slowe advised users affected by the breach to think about whether there's anything on their Reddit account that they wouldn't want associated back to that address.
Users will be receiving messages from Reddit officials if their information was accessed.
Reddit also recommends that you use a strong password along with two-factor authentication through its authenticator app (you can find instructions on how to enable this here). The digests also connected usernames to the email addresses to which the digests were sent, as well as suggested posts based on the subreddits to which the users subscribed. Together, these details could.
The hacker saw backup data, source code, and other employee logs in Reddit systems, but it could not change any of that.
If your account was created between 2004 and May 2007, Reddit's now sending out PMs/emails with further instructions on what to do.
What was accessed: A complete copy of an old database backup containing very early Reddit user data-from the site's launch in 2005 through May 2007. On Wednesday Reddit began informing users who may be included in this dataset. Following an investigation, Reddit discovered that the attacker must have gained access to the SMS 2FA codes the employees would use to authenticate to those cloud hosting accounts.
"This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?" said renowned security researcher Troy Hunt, a specialist in data breaches affecting consumers. Oh, and also your email addresses and account credentials.
There are two parts to this story - who is affected and the weakness the company says led to the breach itself. If you did receive email digests during this period, check your inbox for emails from [email protected] between June 3 and June 17.
Reddit pinned the incident on the hacker's ability to bypass 2FA.
Predictably, security specialists are pointing out this hack as another example of the failure of two-factor authentication. However, it is advised that everyone carry out the usual password change and the activation of the additional security measures that Reddit already makes available.
Security and data breaches have pretty much become the norm for tech companies as of late.
In terms of what exactly was accessed, Reddit said attackers obtained read-only access to systems, source code and other logs.