Reddit says hackers breached its systems, some user data compromised

Clark ByrdAug 03, 2018

Reddit has suffered a "serious" data breach but seems unwilling or unable to put a figure on its size.

In a post on its r/announcements section, the company said that sometime between June 14 and June 18 an attacker "broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords".

"We learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept", Reddit's KeyserSosa said, without elaborating.

Reddit has announced that it was hacked back in June, with the intruder gaining access to a website backup and user data.

Cyber crooks managed to swipe user data that included usernames, email addresses and hashed passwords.

We learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept.

While the size of the breach has yet to be clarified, Reddit said two data sets had been accessed by hackers, including one from 2007 containing account details and all public and private posts between 2005 and May 2007.

Reddit said it would inform those affected by the loss of historic data, but would not be getting in touch with those impacted by the potentially much larger breach - a decision which has baffled prominent, independent security researchers.

Some other Reddit information was breached with read-only access (things such as Reddit source code, internal logs, and configuration files), but the above two areas are the main ones that affect redditors.

What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. But the logs also connected user names with their associated email address.

In other words, the breach appears to have only exposed email address information for existing users and scrambled password data for long-time Reddit fans from over a decade ago. That includes the content of the emails themselves, user email addresses, and the account associated with that email address. Primary access points for code and infrastructure are behind 2FA but SMS-based authentication was not secure enough.

Reddit pinned the incident on the hacker's ability to bypass 2FA.

'If you signed up for Reddit after 2007, you're clear here, ' he wrote.

Even if Reddit doesn't notify you and you have been using the same password since 2007, it is probably better to reset it anyway, since by now it may have made its way to a number of dumped databases.

The attackers would only be able to do this if they could intercept the SMS codes, either by hacking the Signaling System Seven (SS7) that wireless carriers refuse to fix, even when called out by members of Congress, or by social engineering the porting of the Reddit employees' phone numbers to the hackers' own phones.

Related Articles:

« Previous article
Next article »

Popular Pages

White House chief of staff to stick around for now
In the two weeks leading up to Trump's disruptive swing through Europe, senior aides predicted that Kelly had days or hours left. Almost a month after Porter's resignation, Kelly admitted that he mishandled his response to the allegations against Porter.

Pence receives Korean War remains in somber ceremony
Nauert said that North Korean officials would be at some of the same meetings as State Department officials in the area. It has in the past two years quickly advanced its nuclear programme.

Remains of U.S. Soldiers Returning Home From North Korea
Trump last week thanked Kim for keeping the promise he made as part of their talks about North Korea's denuclearization. Indonesia guarantees the security of all countries' representatives and contingents, including those of North Korea.

Republicans won't budge on Kavanaugh documents amid Dem accusations of hiding records
Kevin Cramer, who's challenging Heitkamp this fall, doesn't have a formal say in Kavanaugh's confirmation but voiced his support for the judge shortly after Trump announced the pick last month.

Here’s What You Get When a Whale and a Dolphin Mate
Baird continued to explain that the "morphological appearance" of the animal promoted researchers to get a biopsy sample. After encountering a large pod of melon-headed whales, the researchers tagged two of them, to see where they might go.

I’m ‘Looking Into’ 3D-Printed Plastic Guns
If we were at a bar, my language would be stronger, I assure you", Washington State Attorney General Bob Ferguson said. Department of State to prevent a Texas company from posting designs for guns that can be made on 3-D printers .

US Announces Sanctions Against Turkey Over Pastor Arrest
Vice President Pence has also said the administration would impose sanctions on Turkey if Brunson was not released . Brunson was arrested in Izmir, Turkey, in October 2016 and accused of espionage and aiding terrorist organizations.

Napoli confirm transfer talks with Man United, deal could happen this week
Fred is now with his national team squad in Brazil preparing for this summer's World Cup in Russian Federation . They finish off pre-season preparations by heading to the Allianz Arena on Saturday to play Bayern Munich.

Seattle judge blocks release of blueprints for 3D-printed guns
On Monday, eight states filed a federal lawsuit to block the deal with Defense Distributed. The president expressed doubt, saying " doesn't seem to make much sense! ".

Lewis Hamilton reveals how Mercedes can beat Ferrari to F1 title
Earlier in the season, a mechanic's leg was broken by the Finnish driver's auto following an unsafe pit release at the Bahrain GP. Team boss Wolff said: "It wasn't realistic for us to win".