14 DAY TRIAL // Reddit reports that its systems have been hacked in mid-June 2018 and that the email addresses of most of its users have been compromised, along with some of the passwords from an old database backup from 11 years ago.
According to Reddit, the hack happened between June 14 and June 18, when a hacker compromised the accounts of several of its employees via SMS intercept as they were using SMS-based two-factor authentication (2FA). The hacker then managed to access old salted and hashed passwords from a 2007 database backup and the current email addresses of some Reddit users.
"A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again," said Reddit.
Reddit confirmed that the email addresses of some of its users were obtained by the hacker via logs containing email digests sent to users between June 3 and June 17, 2018. But if your email address isn't associated with your Reddit account, then you’re not affected by the hack, says the company. The hacker also accessed the Reddit source code, internal logs, and configuration files.
Update your passwords and enable token-based 2FA now
Reddit has sent messages to all users whose email addresses and passwords have been compromised during the hack, urging them to update their credentials as soon as possible, especially if they're using the same email address and password to log into other online services as those may be compromised too. Additionally, Reddit recommends all users to enable token-based 2FA now.
To change your password via the new Reddit interface, click on your username on the top right side of the screen and access User Settings. There, click on the Change password link and change your password by entering the current one and then the new one twice. Please make sure you choose a strong password using a good password generator, and also enable token-based 2FA at the end of the page.
The incident was reported by Reddit to law enforcement, and the company now tries to do everything in their power to make sure this doesn't happen again by enabling enhanced logging and encryption, as well as to require their employees to use token-based two-factor authentication instead of the SMS-based one, which the company believes it's the root cause of this unfortunate incident.