Reddit cloud and source code hosting providers were compromised between June 14 and June 18, resulting in the leak of some users’ personal data, according to a new announcement made by the company. The breach was discovered on June 19, prompting an internal investigation to determine what data was stolen and who was affected. Among the items accessed were some users’ current email addresses, in addition to an archived database of “old salted and hashed passwords” from way back in 2007. Specifically, the data in question sprawled from the site’s birth in 2005 through May 2007. Any and all content shared by users during that timeframe was potentially accessed by the bad actors behind the cyber attack. That includes private messages sent during the said range of dates. Account emails were also accessed as well as company logs and copies of its email-based personalized newsletter from between June 3 and June 17 of this year. However, passwords were hashed in the stored credentials so the chances of those being compromised are relatively low.
No details have been provided with regard to how many accounts may be affected but that seems to come down to the fact that the Reddit team is still working that out. In response to the attack, the company is sending out private messages and emails to users to inform them that they might be affected and resetting passwords of accounts that are known to have been compromised. Token-based two-factor authentication, further encryption, and enhanced logging are being incorporated to keep internal files more secure in the future as well. The former of those is a part of Reddit’s action plan due to the company’s current belief that SMS-based authentication was central to how the breach was perpetrated. Law enforcement agencies have been notified of the leak and the company will be cooperating with efforts to track down the individual or group behind it.
In addition to password resets, Reddit is advising users to change their passwords regardless of whether they think they were affected if they signed up prior to 2008. If any other accounts held by the user are set up with the same or similar credentials, it would be a good idea to change those as well. Last but not least, users should turn on two-factor authentication for the service since that’s token-based via an application and should help make accounts much more secure