A sizeable Reddit data breach has been discovered. An unauthorized individual gained access to several Reddit systems and succeeded in downloading a significant number of users’ credentials, including usernames, email addresses, and salted hashed passwords as well as public messages, and in some cases, private messages.
The database that was copied was an old backup and included data from 2015, when the website was launched, through to May 2007. The backup only contained a limited amount of data as the site, in the early days, had far fewer features.
Individuals affected by the breach could potentially have had their password disclosed, although since it was salted and hashed, it is possible that the passwords will not be cracked. Should the passwords be obtained, it would only be of concern for account holders who have not changed their password since 2007 and those that reuse old passwords to secure other accounts. All users have been encouraged to change their passwords, regardless of whether they are still using the site.
Individuals who are believed to still be using the same password as they were in 2007 are being messaged to alert them to the risk of an account compromise. All Reddit users should bear in mind that since the attacker has obtained email addresses associated with Reddit accounts, there is potential for those email addresses to be used in a phishing campaign linked to the breach. As a precaution, if a message is received that claims to be from Reddit, access your Reddit account directly through the browser rather than using any links in the body of the email.
The attacker gained read access to Reddit systems and may have gained access to source code, internal logs, employee workspace files, and configuration files, although no changes could have been made to its systems or data.
The data breach occurred between June 14 and June 18, 2018 and was detected by Reddit on June 19. Reddit explained that an attacker gained access to several employees’ accounts with its cloud and source code hosting providers. Reddit also explained that it uses strong 2-factor authentication controls to prevent stolen or guessed credentials being used to access accounts on unfamiliar devices. However, the breach shows that SMS-based authentication is not infallible. The main attack was an SMS intercept, the firm notes.
The Reddit data breach shows that while 2-factor authentication is an important control to have in place, token-based 2-factor authentication is a much more secure choice than SMS-based 2FA. Reddit is encouraging all site users to switch to token-based 2FA through an authenticator app.