Today, CTO Christopher Slowe announced in a post that Reddit had been hacked. The security incident took place in June, and according to Slowe, some user data was compromised. Thankfully, the attack didn’t have the wide-sweeping effect it could have, but some long-time users of the site may need to be cautious.
The most concerning data stolen was a 2007 backup of the Reddit database. All user account info from that time has been compromised, including usernames, email addresses, and the salted and hashed passwords. Fortunately, Reddit wasn’t doing something completely dumb at that time like storing all their passwords as plain text, but since the method used to salt and hash passwords at that point wasn’t as effective as modern cryptographic processes, you’re still best off changing your passwords.
Slowe explained that the Reddit hack used a weakness in Reddit’s internal two-factor system to gain admin access to specific cloud storage areas. In addition to the 2007 database backup, the hackers also had access to email digests sent by Reddit in June 2018 as well as the source code for the site, internal logs, configuration files, and employee workspace files.
Reddit management is currently working with law enforcement to investigate the issue. The weakness in the company’s internal two-factor authentication system has also been addressed. Slowe stated that messages were being sent to accounts whose password resemble those they had in 2007.
If you were a Reddit user in 2007, you should check and make sure your password isn’t the one you were using then. If you receive Reddit email digests, the hackers could associate your email address with your username, and you should be wary of any suspicious password reset emails.
Fortunately, this breach could have been a lot worse. Reddit is one of the most trafficked sites on the web, and even though it doesn’t take a ton of identifying info to make an account, even that could be catastrophic in the wrong hands.