Reddit revealed yesterday that a hacker broke into its systems and accessed some user data, including current email addresses and old passwords.
The social media network discovered the hack in June, and has since been “conducting a painstaking investigation” into the episode, Reddit says in a post published on Wednesday.
The company does not say how many users were affected.
According to the post, the hacker accessed the “logs containing the email digests we sent between June 3 and June 17, 2018.”
It continues that the logs contain the digest emails, and that “digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.”
The hacker also obtained access to “a complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007.”
Included are account credentials, including user names and salted hashed passwords, email addresses and all content, including public and private messages.”
The firm learned on June 19 that "an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers" from June 14 to June 18.
It adds: "Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs."
The post explains: “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
Krebs on Security writes: "A more secure alternative to SMS involves the use of a mobile app — such as Google Authenticator or Authy — to generate the one-time code that needs to be entered in addition to a password."
Reddit says it has reported the issue to law enforcement. In addition, it is reaching out to users whose currant password may have been breached.
It also has taken measures to “guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.),” it writes.
Reddit advises affected users to reset their passwords. And it states, “If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.” It offers advice on how to do this on a help page.