The hack reportedly took place between June 14 and June 18 after hackers compromised Reddit employees accounts with their cloud and source code hosting services.
The online discussion board, which prides itself on providing anonymity, said hackers compromised employees' accounts by gaining access to two datasets. The attacker broke into some of its systems and got access to some user data, but did not manage to modify any of the site's content.
Reddit said it was messaging user accounts "if there's a chance the credentials taken reflect the account's current password" and has urged users to check their Reddit inboxes as well as their emails to establish if they were affected by either breach. In the past, cybercriminals have assumed a victim's identity to trick cellular providers into essentially giving them access to the person's phone number. The digests also connected usernames to the email addresses to which the digests were sent, as well as suggested posts based on the subreddits to which the users subscribed.
But the logs also connected user names with their associated email address.
The US National Institute for Standards and Technology (NIST) has advised against using SMS-based 2FA, and academics have bypassed SMS-based 2FA for a few years now, but in recent weeks, SMS-based 2FA has been proven to be broken in the real world [1, 2]. It appears that SMS-based two-factor authentication played a key role.
Finally, the company has called on users to use a strong password and to enable two-factor authentication via an authenticator app.
The firm claimed it is notifying users about the older breach but has told users potentially affected by the newer one that they must proactively search their inbox for emails from firstname.lastname@example.org between June 3-17, 2018.
Reddit users might believe they are relatively anonymous as they need to provide only a username and email address to sign up for an account, but Slowe advised users affected by the breach to think about whether there's anything on their Reddit account that they wouldn't want associated back to that address.
The company said that since the intrusion it has bolstered its monitoring systems and has reported the breach to law enforcement, which is investigating. If you're not yet using a password manager, now's the time to change that.
If you don't have two-factor authentication, it's a good idea to use it on your most important accounts, like Facebook or your bank, which can usually be activated in the settings page.
- Majestic Kohli ton leaves Test evenly poised
- Colin Kaepernick's Name Taken Out of Song on Madden 19
- Trump stresses a fall shutdown may be needed
- More than 1000 homes destroyed as Carr Fire rages on in California
- Trump pushes Jeff Sessions to end Mueller's Russian Federation investigation 'right now'
- Jennifer Lopez to receive Michael Jackson Vanguard Award at MTV VMAs
- Demi Lovato agrees to enter rehab facility
- France votes to ban cell phones from most schools
- Trump calls on Sessions to end Mueller’s Russian Federation probe
- China says it's ready to retaliate on latest U.S. tariff threat