Reddit Data Breach Exposed. What Do Reddit Users Need to Do Now?
Reddit was recently the sixth most popular website in the world according to Alexa. It has more than 1.5 billion monthly visits which shows that for many people, it's the perfect place for anything from discussing politics to sharing memes. Yesterday, Chris Slowe, the news aggregator's Chief Technical Officer announced that Reddit recently suffered a data breach.
On June 14, hackers broke into a few employees' accounts at Reddit's cloud and source code hosting providers. Thankfully, the compromised accounts apparently had read-only access. Slowe pointed out that although the crooks got to look at some backup data, logs, and source code, they weren't able to modify anything. They did steal some information, though.
More specifically, they stole June's email digests which isn't that scary and a database that contained all the data aggregated by Reddit during the website's first two years of existence which is quite scary. The data includes usernames, salted and hashed passwords, public posts, and private messages of all the active users between Reddit's launch in June 2005 and May 2007.
The hackers stayed in for a full four days until June 18, when Chris Slowe and his team realized that they're being attacked and secured the system.
Reddit and (most of) its users got lucky
This will be of little consolation to the people who were active redditors back in 2007, but the news is, in some aspects, good. Indeed, the hackers made off with some sensitive data. The fact that they got their hands on private messages, in particular, is a huge invasion of privacy.
We mustn't forget, however, that Reddit's userbase was quite a bit smaller in 2007. Bear in mind that this was before what experienced redditors refer to as "the Digg migration" – a wave of users moving away from Digg and subscribing to Reddit in 2010. If the hackers had stolen a newer database, the impact would have been much more devastating.
It is actually quite surprising that they failed to do any more damage. Details are still scarce, but Reddit's CTO himself described the attack as "serious" and from the facts he gave us, we can conclude that the hackers were nothing if not determined and sophisticated.
Clearly, they somehow managed to steal the login credentials of some Reddit employees, but that alone wasn't enough. The accounts were protected with two-factor authentication (2FA), but the attackers managed to bypass it.
It wasn't a never-before-seen attack. The 2FA system Reddit's hosting provider used was based on codes sent via SMS. For years, security specialists have been arguing that text messages aren't secure enough to provide the second factor in a 2FA system, and the fact that the codes were intercepted in this particular case shows that they're not blowing hot air. Nevertheless, it's clear that the attackers weren't script kiddies.
What should Reddit users bear in mind?
Chris Slowe's post states that the stolen passwords were salted and hashed, but it doesn't reveal the algorithm that was used, so it's difficult to say whether the hackers have anything of value in that respect. The data is eleven years old, so a large portion of the passwords are probably irrelevant, but despite this, if you're affected, Reddit will force you to change your password just in case. Naturally enough, if you've reused it on other websites, you should change it there as well.
The email addresses do give hackers the chance to embark on some highly targeted spearphishing expeditions, though, so you must keep your eyes peeled, and if you haven't enabled 2FA on Reddit, do it as soon as possible. You should also take this as a lesson and learn that a text message is not secure enough to act as the second factor in a 2FA system. If you have other options, pick one of them.