Reddit Hacked, All User Data From 2007 & Earlier Accessed

Published August 1, 2018 11:00 AM, by Charles Singletary Jr

In a bit of frightening news, it has been revealed that Reddit was hacked and important user data was accessed. Because of this, the Reddit team is recommending that everyone move to two-factor authentication (2FA) just in case the hackers attempt to use their login credentials. 

On June 19, Reddit staff learned that an attacker compromised the accounts of employees between June 14 and 18 by using the cloud and source code hosting providers. Primary access points for code and infrastructure are behind 2FA but SMS-based authentication was not secure enough. The full breakdown can be read on the official Reddit post but here's what has been compromised:

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

• All Reddit data from 2007 and before including account credentials and email addresses
  • What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashedpasswords), email addresses, and all content (mostly public, but also private messages) from way back then.
  • How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
• Email digests sent by Reddit in June 2018
  • What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves -- they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
  • How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data.

The Reddit team is working with law enforcement and cooperating with the investigation, messaging user accounts if there's chance their data has been taken, and has better-secured Reddit's systems. Stay tuned to Shacknews for additional updates.