Reddit informed its users today that a hacker broke into some of its systems and accessed user data, including current email addresses and a 2007 database that contained usernames and passwords that were already salted and hashed (or scrambled for protection).
Reddit is sending an email to all affected users — mostly people who joined Reddit in 2007 or earlier. The hacker was also able to read the email digests Reddit sent out in June 2018 as well, so they could see users’ email addresses and relevant, safe-for-work subreddits they followed. Reddit is recommending users who may still be using passwords similar to the ones they had in 2007 to change their password on Reddit and other sites.
The company is also encouraging users to enable token-based two-factor authentication through a service like Authy or Google’s Authenticator, as the hacker gained access to Reddit’s systems through an SMS intercept attack. “We learned that SMS-based authentication is not nearly as secure as we would hope,” Reddit wrote in its post to users.
By June 19th, Reddit discovered the attack and began investigating the extent of the damage, while ramping up security measures. Reddit contacted law enforcement and is cooperating with their investigation.
The hacker was able to see private and public messages posted from 2005, when Reddit was created, to 2007. A user commenting on the security post also noted that there’s the possibility the hacker can piece together a Redditor’s actual username from looking at their email address, and to be safe, users should delete any incriminating posts accessible from their profile.