Reddit announced today that its systems had been hacked at some point earlier this summer.
In a post on its r/announcements section, the company said that sometime between June 14 and June 18 an attacker “broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.” The hacker was able to bypass SMS-based authentication, which is a common safeguard used to protect against external intrusion. But, as Reddit writes, this text-based form of two-step authentication is “not nearly as secure as we would hope.”
The attacker was able to access very early Reddit user data–including everything from the year 2007 and before. This means email addresses, user names, and salted and hashed passwords were likely accessed. Not only that but email digests sent in June 2018 were also accessed.
Here’s what you need to know:
- If your information was included in the old data, Reddit will send you a message with instructions on how to change your password. This only affects people who signed up for the website in 2007 or before.
- If you’re unsure if you’ve received a Reddit digest in June 2018, you can check by searching your email for messages from “email@example.com.” If you got an email from that address between June 3-17, 2018, your email address was likely accessed by the attacker.
- If you were impacted, you should absolutely change your password–especially if it’s the same one you’ve used for over a decade. You should also change it for any other accounts that may share the same password. Reddit adds that if there’s anything on your account you don’t want linked with your email address, now would be a good time to remove it.
Overall, this is a good reminder that attackers can even overcome widely accepted security defenses. You may want to rethink using SMS-based authentication and use an authenticator app for two-factor.
To learn more about the attack, as well as what else you can do to protect your Reddit account, you can read the post here.