Reddit hack exposes private messages and user identities

Remigio Civitarese
Agosto 3, 2018

Reddit says "the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages)".

"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication, we learned that SMS-based authentication is not almost as secure as we would hope", said Reddit. The logs connect usernames with associated email addresses and contain suggested posts from the safe for work subreddits users subscribe to.

In other words, the breach appears to have only exposed email address information for existing users and scrambled password data for long-time Reddit fans from over a decade ago.

Reddit is messaging user accounts "if there's a chance the credentials taken reflect the account's current password" and has advised people to check Reddit inboxes as well as emails to see if they were affected.

A hacker managed to break into Reddit's systems, exposing user info. Together, these details could.

Ambuj Kumar, CEO of Fortanix, noted that malicious actors can intercept text messages using fake base stations or subscriber hijacking attacks, yet many banks and service providers continue to use SMS-based authentication. You can also check for emails from [email protected] between June 3 and June 17.

"We learned that SMS-based authentication is not almost as secure as we would hope", Slowe wrote.

Most of the other data accessed is on the Reddit backend, so there isn't expected to be other compromised user data.

Fundamentally, two-factor authentication involves combining something you know (the password) with either something you have (a device) or something you are (a biometric component, for example).

While the attack was serious, hackers didn't manage to get much of value aside from some users' email addresses and some hashed email and password combinations from a 2007 database backup.

The company has already reported what happened to law enforcement and is cooperating with an investigation. Because of this, the Reddit team is recommending that everyone move to two-factor authentication (2FA) just in case the hackers attempt to use their login credentials. "If your account credentials were affected and there's a chance the credentials relate to the password you're now using on Reddit, we'll make you reset your Reddit account password", said Reddit administrator KeyserSosa.

If you were impacted, you should absolutely change your password-especially if it's the same one you've used for over a decade.

And it's worth taking this incident as a warning that SMS two-factor authentication isn't completely secure and that it may be worth investing in a physical authenticator key.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE