On Wednesday, Reddit reported a hacker had broken into a few of its systems and managed to access some limited user data, including current email addresses and a 2007 backup that contained old “salted and hashed” passwords. The incident, described as a “serious attack,” happened between June 14 and June 18. Thankfully, the attacker didn’t gain write access on Reddit systems. Instead, they gained read-only access to some systems that contained backup data, source code, and other logs.
With Reddit’s investigation now concluded, the site has determined the following type of data was compromised:
All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 2018
What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from firstname.lastname@example.org between June 3-17, 2018.
What should you do?
For its part, Reddit has informed law enforcement about what happened. It’s also messaging user accounts “if there’s a chance the credentials taken reflect the account’s current password.” Finally, Reddit says its systems are now more secure.
If you think you’re included in either or both of the groups mentioned above, Reddit suggests you reset your account password.
Additionally, it concludes:
Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.
Reddit should be commended for bringing this security breach to the public’s attention, although some may question whether it waited too long to do so. After all, this incident happened nearly six weeks ago. Regardless, if you’re a Reddit user, it’s probably wise to change your account password.
Has Reddit reached out to you about this issue? Let us know below.