Reddit recently informed its users that a hacker broke into some of its systems and accessed user data, including current email addresses and a 2007 database that contained usernames and passwords that were already salted and hashed. The web content aggregation platform notified users that a hacker gained access to several employee accounts via SMS intercept between June 14 and June 18.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code, and other logs.”
Reddit is sending an email to all affected users – mostly people who joined Reddit in 2007 or earlier. Reddit is also encouraging users to enable token-based two-factor authentication through a service like Authy or Google’s Authenticator.
The company also said that –
“They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”
On 19th June, Reddit discovered the attack and began investigating the extent of the damage, while enhancing security measures. Reddit also contacted law enforcement and is cooperating with their investigation. Slowe also said that –
“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.”
One of the users also noted that there’s a possibility that hacker can piece together a Redditor’s actual username from looking at their email address and to be safe – users should delete any incriminating posts accessible from their profile.