Reddit experienced a “security incident” in June, which they announced by email this month (August, 2018). While an email to Reddit users says that the hack affected “account credentials from 2007”, the full story paints a substantially broader picture.
In point of fact, according to Reddit’s own full write-up of the incident (link below) it affected credentials and other user data for dates starting from Reddit’s launch in 2005 up through and including May of 2007, and includes usernames, email addresses, hashed passwords, public posts, and – and we quote – “all content (mostly public, but also private messages) from way back then.”
And the hackers also accessed Reddit email digest logs from email digests sent by Reddit to its users between June 3rd and June 17th 2018. The logs also contain the entire email digest, so the hackers can glean from these logs not just your username and email address, but where in Reddit you hang out.
And with that information they can do some pretty sophisticated social engineering, such as sending you email pretending to be Reddit, and revealing enough inside info – such as the subreddits to which you subscribe, or even just what was in the last email that you received from Reddit – to fool you into believing that they actually are from Reddit and providing whatever information they ask for.
August 2018 Email from Reddit Regarding Security Incident
From: Reddit Security
Subject: Reddit account credentials from 2007 compromised
TL;DR: As part of the security incident described here, we’ve determined that your Reddit account credentials from 2007 may have been compromised. You’ll need to reset your password soon to continue using Reddit. Details below.
* * * * *
On June 19, Reddit was alerted about a security incident during which an attacker gained access to account credentials from 2007 (usernames + salted password hashes). We’re messaging you because your Reddit account credentials were among the data that was accessed.
If there’s a chance the credentials relate to your current password, we’ll prompt you to reset the password on your Reddit account. Also, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
You can find more information about the incident in the announcement post linked above. If you have other questions not answered there, feel free to contact us at [email protected]
You may click here to unsubscribe from this email list if you want, but we don’t intend to use the list again.
Reddit says that the hackers also accessed “Reddit source code, internal logs, configuration files and other employee workspace files.”
One particular note of interest is that, according to Reddit, the employee accounts which were compromised – through which the hackers got in – were set up with two-factor authentication (also known as 2FA), and that the bad guys got around it by intercepting the SMS messages containing the 2FA code that were sent to the employees’ phones.
Reddit concludes their write-up by, among other things, urging all Reddit users to enable 2FA, which Reddit has now moved to an authentication app platform, rather than the SMS platform which they suspect as being the point of entry. And of course we agree, which is why we wrote Why to Set Up Two-Factor Authentication Everywhere You Can – Here’s Where which includes links to set up two-factor auth on Google, Facebook, Twitter, Paypal, LinkedIn, Microsoft Live, Apple, Yahoo, and Dropbox, among others.
Ironically, as of the writing of this article, on August 20, 2018, Reddit’s form to enable 2FA throws a 403 error upon submit.
Still, we can’t fault their transparency after the fact of the breach. You can read their full write-up of that breach here.