Reddit has disclosed a security incident it’s described as a “serious attack,” which it has been investigating for more than a month which the company says entailed a hacker breaking into some of its system and accessing user data. That data included some current email addresses, as well as an old database backup that contained salted and hashed passwords.

The company in a post today says it discovered the attack — which happened between June 14 and June 18 — on June 19. “An attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” the post reads. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

One very small silver lining in what happened, the post continues, is that the attacker didn’t gain write access to Reddit system. They were only able to get read-only access to some systems — of course, systems that contained backup, source code and other logs. Reddit says it’s already taken steps in the weeks since the attack to further lock down and rotate all production secrets and API keys, and to enhance logging and monitoring systems.

You can read the entire post here. Among the data that was accessed:

Reddit says the attacker was able to get into an old database backup copy that contained early Reddit user data, from the site’s launch in 2005 through 2007. “The most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.”

If you signed up for Reddit after 2007, this doesn’t affect you. The company is sending a message to affected users and resetting passwords on accounts where the credentials might still be valid.

The company has already reported what happened to law enforcement and is cooperating with an investigation. Here’s what steps it says users should take: “If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.

“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.”

The company goes on to recommend a strong, unique password and the enabling of two-factor authentication — not provided via SMS — for all users, and to keep a look out for potential phishing or scams.

Comments