Reddit User Data Compromised in Sophisticated Cyber Attack
Reddit is the latest company to suffer a data breach in an attack that has exposed the email addresses, usernames, passwords and private messages of some of its users.
With around 542 million users a month, the online forum is the sixth most popular website in the world, but it has yet to confirm how many people have been affected by the breach.
The company confirmed that two sets of data had been accessed by the hackers, including one dating back to 2007 that contained account details and a list of all public and private posts.
The second data set was accessed between the 3 and 17 June this year and included internal logs and databases that were linked to Reddit’s daily digest emails. The usernames and passwords that were linked to these specific accounts were also compromised in the attack.
The company was hacked after its two-factor authentication security system was breached. Two factor authentication provides an extra layer of security as users are asked to verify their identity by entering a password and a special one-off code sent via text message.
Hackers were able to gain access to the system by spoofing the telephone numbers of some of Reddit’s employees and then intercepting the codes sent via text.
The company has since noted that two factor authentication is not as strong as they had of hoped and they are now implementing a token based two factor authentication which will provide extra security to accounts.
Reddit chief technology officer Christopher Slowe commented on the data breach: “On June 19, we learned that an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.
“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password.
“Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today. If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”
Sign up for our fortnightly newsletter at https://www.cyberradio.com/ to keep up to date with the latest cyber security news and advice on how to keep you and your family safe online.