April 28, 2021
Reddit security breach

Reddit Discloses 2007 Security Breach Hack of User Data

A newly-disclosed Reddit security breach warns users their data might be compromised as the company takes steps to address the hack…

Reddit has posted a lengthy message on its site, warning users it was the victim of a security breach. This includes information such as current email addresses and a 2007 database, containing usernames and passwords already scrambled for protection.

2007 Reddit Security Breach Disclosed to Users

The “Front Page of the Internet” is sending email to affected users. Mostly, these are individuals who joined in 2007 or earlier. The hacker, who overcame SMS-based authentication, was also able to read the email digests Reddit sent in June of this year. Which means the hacker can see users’ email addresses, as well as followed, relevant, safe-for-work subreddits.

As a result, Reddit recommends users to change their passwords for logging into the platform and for other sites. Additionally, the company advises using token-based, two-factor authentication because the hackers gained access through an SMS intercept attack. Here’s what the company wrote on its site about the incident:

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.

Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

Reddit has informed law enforcement about the security breach and is cooperating with the investigation.