Reddit confirms data breach of users details including passwords

The forum site is unable to verify the scale of the two breaches in 2007 and 2018

Christopher Slowe, Reddit chief technology officer:  ‘think about whether you still use the password you used on Reddit 11 years ago on any other sites today.’ Photograph: Adam Peck/PA
Christopher Slowe, Reddit chief technology officer: ‘think about whether you still use the password you used on Reddit 11 years ago on any other sites today.’ Photograph: Adam Peck/PA

Forum website Reddit has confirmed it was the victim of a data breach which has compromised usernames, passwords and email addresses but has not confirmed the size of the breach.

The website confirmed two sets of data had been accessed by hackers who broke in using compromised employee accounts – one from 2007 which included account details and all public and private posts between 2005 and May 2007.

A second, likely larger set of data was also accessed between June 3rd and 17th this year, which included logs and databases linked to the daily email digests Reddit sends out to users.

This data includes usernames and email addresses linked to those accounts.

READ MORE

The firm said it discovered the breach on June 19th, with the attack having taken place during the four previous days.

Reddit said it was messaging user accounts “if there’s a chance the credentials taken reflect the account’s current password” and has urged users to check their Reddit inboxes as well as their emails to establish if they were affected by either breach.

“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password,” the firm’s chief technology officer Christopher Slowe said.

“Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.

“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”

The forum said the employee accounts had been accessed when hackers were able to breach the two-factor authentication used to confirm log-in.

It used a text message system that required employees to enter a code sent to them via SMS as well as normal log-in details when trying to access the site.

However, Reddit said hackers had intercepted those text messages.

In response to the attack, cybersecurity experts have warned users to be vigilant of any phishing scams that could be attempted using the stolen data.

Robert Capps, vice president at NuData Security, said: “Fortunately, this Reddit breach doesn’t include credit card information.

“However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked.

“From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities, as little as an email address can go a long way in the hands of a bad actor.

“Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the steps Reddit is taking and letting its community know what they should watch for and do.” – Press Associations