Reddit has just announced that in a recent security breach, a hacker managed to break into its systems and access some user data, including current email addresses and a 2007 database backup containing old salted and hashed passwords. The company is also sending out emails to affected users, mostly those who joined Reddit in 2007 or earlier.
Here’s what the company announced:
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
Reddit says that even though it was a serious attack, the hacker did not gain write access to Reddit systems or alter any information. The company has already taken steps since the event to further lock down and rotate all production secrets and API keys and to enhance its logging and monitoring systems.
If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, you will be prompted to reset your account password on your next login.
Even if Reddit does not prompt you to change your password, we suggest you change your password and enable two-factor authentication (2FA) right away.