Reddit Hacked, All User Data From 2007 & Earlier Accessed

The Reddit team is cooperating with law enforcement and taking steps to further secure the site.

8

In a bit of frightening news, it has been revealed that Reddit was hacked and important user data was accessed. Because of this, the Reddit team is recommending that everyone move to two-factor authentication (2FA) just in case the hackers attempt to use their login credentials. 

On June 19, Reddit staff learned that an attacker compromised the accounts of employees between June 14 and 18 by using the cloud and source code hosting providers. Primary access points for code and infrastructure are behind 2FA but SMS-based authentication was not secure enough. The full breakdown can be read on the official Reddit post but here's what has been compromised:

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

  • All Reddit data from 2007 and before including account credentials and email addresses
    • What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashedpasswords), email addresses, and all content (mostly public, but also private messages) from way back then.
    • How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
  • Email digests sent by Reddit in June 2018
    • What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves -- they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
    • How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data.

The Reddit team is working with law enforcement and cooperating with the investigation, messaging user accounts if there's chance their data has been taken, and has better-secured Reddit's systems. Stay tuned to Shacknews for additional updates.

News Editor

Charles Singletary Jr keeps the updates flowing as the News Editor, breaking stories while investigating the biggest topics in gaming and technology. He's pretty active on Twitter, so feel free to reach out to him @The_CSJR. Got a hot tip? Email him at Charles.Singletary@Shacknews.com.

From The Chatty

  • reply
    August 1, 2018 12:51 PM

    Charles Singletary posted a new article, Reddit Hacked, All User Data From 2007 & Earlier Accessed

    • reply
      August 1, 2018 1:16 PM

      Glad I joined after 2007...

    • reply
      August 1, 2018 1:20 PM

      Welcome to shacknews.com

      You can do anything at shacknews.com

      Welcome.

      Anything is possible at shacknews.com

      Shacknews.com welcomes you.

    • reply
      August 1, 2018 1:29 PM

      Also, how is it that they just discovered a hack from 11 years ago. Like what was the catalyst that made someone (who was looking at logs from 11 years ago) go "whoh we were hacked!"?

      • reply
        August 1, 2018 1:44 PM

        it was a recent hack that accessed an old backup

        • reply
          August 1, 2018 2:15 PM

          if only there was a blob of text that explained the details

    • reply
      August 1, 2018 1:38 PM

      Convenient timing on the site redesign launching to coincide with a random link from Drudge, lol.

      Well played, Asif. Well played.

    • reply
      August 1, 2018 1:43 PM

      Damn, they got all my *checks notes* I Can Haz Cheezburger images and Rickrolls!

    • reply
      August 1, 2018 1:45 PM

      A Reddit hack that couples the user with a email and then a real person can reveal some crazy stuff.
      ouch

    • reply
      August 1, 2018 2:00 PM

      Safe!

    • reply
      August 1, 2018 2:14 PM

      this is the first major hack I've heard of to take advantage of SMS vulnerabilities to beat SMS based 2FA. Get your authenticator apps/keys people.

      • reply
        August 1, 2018 2:21 PM

        At large scale yea, I can't think of one. SMS at the individual scale is considered very insecure both for MITM and plain ole just spying it off people's screens. It's still used by some of the big 2fa providers, it's horribly insecure. Better than no 2fa I guess.