Reddit Suffers Data Breach With Hackers Obtaining Email Addresses From Some Users

Reddit this morning announced that it has suffered a data breach, with a hacker able to access email addresses from some current accounts and a 2007 database backup that included old salted and hashed passwords.

The data breach occurred between June 14 and June 18, with hackers accessing Reddit employee accounts through the company's cloud and source code hosting providers rather than the site itself. Those systems used SMS-based two-factor authentication that failed, and the main attack happened through SMS intercept.


Reddit has a detailed list of what was accessed. A complete copy of an old database backup containing early Reddit user data was stolen, and Reddit says that the most significant data in the backup included account credentials (username and salted hashed passwords) email addresses, and public and private messages.

Email digests sent by Reddit in June 2018 were also obtained. This included usernames linked to an associated email address along with suggested posts from select subreddits.

Reddit is sending emails to users affected by the database hack, which does not impact people who signed up for reddit after 2007.

Customers who do not have an email address associated with their accounts or who did not check the "email digests" user preference are not affected by the email digest breach.

Reddit has informed law enforcement and is cooperating with an investigation and has taken measures to ensure privileged access to its systems are more secure.

Reddit says it will be resetting the passwords of affected users, but the site recommends all Redditors consider updating their passwords to something strong and unique, as well as enabling two-factor authentication. Reddit's two-factor authentication is via authenticator app and is not vulnerable to SMS intercept.

Tag: Reddit

Top Rated Comments

(View all)
Avatar
16 months ago
Reddit is great if you stay away from the toxic subreddits. There are plenty of really informative and helpful communities like r/personalfinance and r/getmotivated that have tight moderation.
Rating: 16 Votes
Avatar
16 months ago
I love Reddit.... hope it continues to flourish.
Rating: 8 Votes
Avatar
16 months ago
I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.
Rating: 6 Votes
Avatar
16 months ago
Glad it’s only a problem that affects those who signed up before 2007, unless I missed something. Reddit was tiny back then compared to nowadays.

I’m a fan of Reddit. I’ve learned a ton of stuff on a wide variety subjects there. Great for keeping up on major news, local news. Of course it has had, and still has, some dark corners, such as r/The_Donald, r/Incels, r/The Red Pill etc, but the majority of subreddits aren’t pure evil.
Rating: 5 Votes
Avatar
16 months ago

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.


Kind of like MacRumors, huh?
Rating: 5 Votes
Avatar
16 months ago
My own take on Reddit, the one site I hard pass on for any discussion or information related.
Rating: 5 Votes
Avatar
16 months ago
Screw that place.... couldn’t care if it burned down.
Rating: 4 Votes
Avatar
16 months ago

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.


Just like the real world. It seems like you think Reddit is some niche site, when in reality it's the 5th most visited website in the U.S., right between Amazon and Wikipedia, and the 17th most visited website in the world.
Rating: 3 Votes
Avatar
16 months ago

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.


More importantly, something I've stated on these boards before, that SMS is NOT a secure delivery method for authentication. Providers may host SMS and you may have the only SIM card but network switches CAN be intercepted and SMS is just plain text ... open text, no encryption. SO many people where breathing down my next ... yet I personally had access to both Rogers Wireless (Canada) and T-Mobile USA's network switches (Ericsson & Nokia respectively) as a rep back in 2001-2004 and I know a phone number can be co-located on more than 1 SIM card, and that a SIM card CAN be cloned ON the switch! I wish I kept training notes and screenshots to upload.
Rating: 2 Votes
Avatar
16 months ago


But this is concerning. SMS intercept? What? I know there's info on this, but it requires knowledge of how all that incredibly complicated cellular stuff works, and I kinda assumed it was secure enough since so many sites rely on it.


This has been around for a while. It's made news recently. Not too hard to social engineer (or outright bribe) mobile company employees to redirect an existing number to a new SIM card and suddenly the bad actor is able to receive the code to reset your account. They redirect to any new email/phone they want and you've lost access. People have been stealing OG screen names on Insta and Twitter that way and selling them for $1000+. Evidently T-Mobile even had a poorly secured tool available for quite a while that allowed people to get account information so they could just call in to the main customer service line and had all the required account information to ask T-Mobile to change SIMs. That tool was closed down recently after being in use for multiple years.
[doublepost=1533153111][/doublepost]Seems like the lead was buried here. These folks got access to Reddit's source code provider? If they have site source now they'll no doubt be looking for anything available to exploit and we should see (or not see but have there exist) a bigger breach soon. No code is perfectly secure and when you have source access it makes it much easier to find the chink in the armor.
Rating: 2 Votes
[ Read All Comments ]