Reddit disclosed that it suffered a data breach in June after an attacker compromised the accounts of some of its Reddit’s employees and used the hacked account credentials to steal user data.
The cybercriminal managed to gain access to some Reddit users’ current email addresses and a 2007 database backup that contained account credentials, including usernames, salted and hashed passwords, email addresses, as well as public and private messages. The old database contained user data from when Reddit was launched in 2005 till 2007.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” Reddit said in a statement. “They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”
A hacker managed to compromise the accounts of a few Reddit staff members between June 14 and 18. Reddit said that it discovered the attack on June 19. The attacker managed to bypass the Reddit staffers’ SMS-based two-factor authentication.
The attacker also downloaded some logs for Reddit’s email digest feature, which contained email digests sent on June 3 and June 17 2018. The hacker also accessed Reddit’s source code, internal logs, configuration files and other employee workspace files.
Reddit said that it is informing the affected users about the breach and urging users still using 2007 passwords to change their passwords. The site also said that it has reported the issue to law enforcement authorities and is cooperating with their investigation.
Reddit has taken measures to ensure that privileged points of access to its systems are better protected against such attacks. The site has also switched from SMS-based to token-based two factor authentication because they believe that the “root cause” of the incident was an inherent security weakness in SMS-based two-factor authentication.