Reddit has announced a major security breach that’s left user details exposed – but what exactly was lost?
We reveal the inner workings of the hack and explain how you might be at risk and what you should do next.
Reddit hack explained – what actually happened?
A hacker managed to break into Reddit’s systems, exposing user info.
The breach took place between June 14 and June 18, but Reddit didn’t find out until June 19.
Reddit only revealed the breach to the public on August 1, a whole 12 days after the incident.
“We’ve been conducting a painstaking investigation to figure out just what was accessed and to improve our systems and processes to prevent this from happening again,” Reddit explained.
Reddit breach – how did the hacker get into Reddit’s systems?
Reddit employees use something called two-factor authentication on their accounts.
That means they not only have to enter a password to log in, but they also need to receive a special code sent via text.
It’s a common way to protect your account from people who have nicked your password.
But Reddit says the attacker managed to intercept the SMS text message, granting access to staff accounts.
Reddit says “a few” staff members had their accounts compromised, adding: “We learned that SMS-based authentication is not nearly as secure as we would hope.”
As a result, Reddit is now switching to a token system – which involves buying a physical fob that produces log-in codes instead.
The attacker wasn’t able to make any changes to Reddit, but they gained access to private user files.
“The moral of this story is that SMS-based 2-factor authentication should not be considered ‘strong’ in the face of a determined attacker,” said Craig Young, security researcher at Tripwire.
Reddit hacked data – what info was stolen in the breach?
There were two main bits of info stolen in the Reddit attack.
The first was all Reddit data from 2007 and before, so if you were an early member then the following was made available to the attacker:
Passwords (encrypted, rather than plain text)
All content on the site
This is obviously extremely bad and will likely be very concerning to some users who hoped they were using Reddit anonymously.
If you are an affected user, you’ll receive a message with a warning. You’ll also find your password has been reset if your stolen credentials might still be valid.
Importantly, this part of the breach only affects users who signed up before 2007.
The second part of the breach potentially affects all users but is potentially less damaging.
Hackers gained access to email digests sent between June 3 and June 17, 2018.
Email digests are personalized newsletters, which show off some of the top posts from subreddit forums you follow.
Importantly, they only contain posts from safe-for-work subreddits – rather than from the hundreds of porn sub-forums available on the site.
These hacked digests reveal:
The email address associated with your username
Some of the subreddits you follow
If you don’t have an email address associated with your account, you’re not affected by this part of the breach.
Similarly, if you had email digests turned off during the breach period, you’re safe.
Otherwise, Reddit advises you to search your email inbox for emails from firstname.lastname@example.org between June 3 and June 17, 2018.
Reddit hack safety – what do you need to do next?
After any breach, it’s advisable to change your password immediately.
If you use the same passwords on several accounts, change those log-in details too.
The fact that the leaked passwords were encrypted isn’t good enough, sadly.
“Attackers use this information in a few ways,” said Travis Biehn, technical strategist at Synopsys.
“First up, they’ll try account name and password pairs on other websites, exchanges, banks and so on.
“Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90 percent of original password values.”
If you’ve used Reddit under the guise of anonymity to post anything you don’t want linked to your public life, we recommend deleting the old content – or even your Reddit account.
And it’s worth taking this incident as a warning that SMS two-factor authentication isn’t completely secure and that it may be worth investing in a physical authenticator key.
Koby Kilimnik, security researcher at Imperva, adds: “If you don’t like spam emails, you might also want to start using a different email account since those leaked emails will probably find their way into some spammer’s database.”