Reddit discloses hack, reveals hackers stole e-mail addresses and outdated passwords
Reddit, the social dialogue, and forum-hosting web site, in a blog post on Wednesday, mentioned that a safety breach earlier this summer season has compromised personal information of some customers, together with e-mail addresses and personal messages. However, the corporate didn’t disclose what number of of its customers have been affected.
According to Reddit, the hackers managed to interrupt into its laptop methods and obtained entry to some person data, together with some present e-mail addresses and a 2007 database backup containing outdated salted and hashed passwords. This outdated 2007 database backup included very early Reddit person data that are account credentials (username + salted hashed passwords), e-mail addresses, and all content material (largely public, but in addition personal messages) from the time of website’s launch in 2005 by way of May 2007.
The cyberattack befell between June 14 and June 18, when hackers “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” the corporate mentioned, and its web site directors turned conscious of the hack on June 19.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code, and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the corporate added.
Reddit makes use of the frequent SMS-based two-factor authentication (2FA) to authenticate its main entry factors for code and infrastructure. However, Reddit mentioned hackers had intercepted SMS 2FA verification.
“We learned that SMS-based authentication is not nearly as secure as we would hope,” Reddit mentioned in its warning publish.
“We’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”
Reddit is messaging person accounts and has steered folks to test Reddit inboxes in addition to emails to see in the event that they had been affected.
The firm mentioned in its publish: “If your account credentials had been affected and there’s a probability the credentials relate to the password you’re presently utilizing on Reddit, we’ll make you reset your Reddit account password.
“Whether or not Reddit prompts you to vary your password, take into consideration whether or not you continue to use the password you used on Reddit 11 years in the past on some other websites as we speak.
“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want to be associated back to that address.”
For extra information on take away information out of your account, you’ll be able to go to this help page.
Reddit has really useful customers to make use of a robust distinctive password and enabling 2FA (which is offered by the corporate through an authenticator app, not SMS). It has additionally requested its customers to be alert for potential phishing or scams.