Jump to content

Reddit data breach exposes the login credentials of accounts created in 2007


Recommended Posts

The attack was low-impact, but still 'serious'



Security and data breaches have pretty much become the norm for tech companies as of late. There was the Equifax breach last year, the Timehop breach in July, and Facebook's Cambridge Analytica incident in March.

Now, Reddit has informed its user base that it has discovered a breach of its own: hackers recently accessed a site database containing login credentials for accounts created back in 2007.

To be clear, the breach didn't occur in 2007. Rather, it happened sometime between June 14 and June 18. However, users who created their account during 2007 may have had their information compromised. If you created your account any time after that, you're in the clear.

Due to Reddit's relatively anonymous nature, no personal information has been put at risk. Nobody's name, address, or banking information has been exposed.

With that said, the breach is still important: attackers were able to access login credentials. This data is less critical, but it could prove troublesome for users who haven't changed their password in a while.

Reddit says hackers were able to intercept the platform's SMS-based 2-factor authentication (2FA) system.

So, how did this breach occur? Reddit says hackers were able to intercept the platform's SMS-based 2-factor authentication (2FA) system.

"...we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Reddit CTO Christopher Slow said in a detailed statement. Slowe goes on to advise users to switch to a token-based 2FA system instead, such as Google Authenticator.

To prevent similar attacks from happening in the future, Slowe says Reddit has taken "measures to guarantee that additional points of privileged access to Reddit’s systems are more secure." These measures include the implementation of "enhanced logging" and additional layers of encryption.


Link to comment
Share on other sites

  • Replies 1
  • Views 478
  • Created
  • Last Reply

Reddit's hack response causes concern

Social media site Reddit has suffered a data breach, but has refused to disclose its scale.

The site said it discovered in June that hackers compromised several employees' accounts to gain access to databases and logs.


They were able to obtain usernames and corresponding email addresses - information that could make it possible to link activity on the site to real identities.


The hackers were also able to access encrypted passwords from a separate database of credentials from 2007.


Reddit said it would inform those affected by the loss of historic data, but would not be getting in touch with those impacted by the potentially much larger breach - a decision which has baffled prominent, independent security researchers.


“This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?” said renowned security researcher Troy Hunt, a specialist in data breaches affecting consumers.


"In the case where it's mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually."

'Users are not to blame'

Instead, Reddit suggested users concerned should search their own inboxes to see if they have received an “email digest” from the firm between 3 and 17 June this year - the period of time for which hackers were able to obtain detailed logs on user activity and identity.


"If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address,” wrote Christopher Slowe, Reddit’s chief technology officer.


Prof Alan Woodward from the University of Surrey said Reddit should be doing more to protect its users.


"Their concept of putting the onus on the user to consider if they have any data they wouldn’t want linked to an address is really not on,” said Prof Woodward.


"Users are not to blame.”


Reddit said hackers were able to gain access to the firm’s information by breaching its measures for protecting employees’ credentials. It authenticated access with a text message-based two-factor authentication system. In other words, when staff logged in, they had confirm their identity by entering a code sent to them via text message.


The hackers, however, were able to intercept those text messages.


“We learned that SMS-based authentication is not nearly as secure as we would hope,” wrote Mr Slowe. He said the company has taken measures to make its systems more secure.

'More authentic, more true'

Reddit said it discovered, on 19 June, that hackers had obtained two datasets.


The first related to old user data - from May 2007 - that contained usernames, email addresses and encrypted passwords. On Wednesday Reddit began informing users who may be included in this dataset.


But it's the second part of the breach which could affect a far larger amount of people, and may have serious consequences for those who use Reddit under a pseudonym.


Hackers were able to access logs relating to the site’s email digest function, a service that sends a daily email containing the latest updates from the sections a user follows, known as subreddits.


These logs contained every email digest sent out over the 15-day period. Crucially, the logs contained both a person’s username and associated email address - providing hackers with a database from which a person’s real identity could potentially be discovered. These users are not being directly informed by the company.


The use of pseudonyms has been touted as one of Reddit’s greatest strengths. Speaking to The Atlantic, Reddit co-founder Steve Huffman said: "When people detach from their real-world identities, they can be more authentic, more true to themselves.”


Not all users receive the email digest, but for those signing up in the US, the feature is switched on by default. According to Reddit’s own advertising metrics, 20m people in the US visit Reddit every day. Its global user base is 330m - similar to Twitter.


When asked by the BBC, a spokesperson for Reddit refused to share any estimate for how many users may be affected. Nor would the person provide a figure for how many users were receiving the email digest at the time of the breach.


The company also did not respond to a follow up question asking for more details on how it plans to inform users directly about the risk.


< Here >

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...