Reddit data breach exposes the login credentials of accounts created in 2007

EnlargeMisaochan

The hackers in question unearthed not just usernames but corresponding email addresses, meaning it's very possible to link site activity to real identities.

Reddit encourages users to change their passwords if they are similar to those they had in 2007 and to enable token-based two-factor authentication as the hackers reached its systems through SMS intercept.

In a post on its r/announcements section, the company said that sometime between June 14 and June 18 an attacker "broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords".

The Reddit team is working with law enforcement and cooperating with the investigation, messaging user accounts if there's chance their data has been taken, and has better-secured Reddit's systems. The logs connect usernames with associated email addresses and contain suggested posts from the safe for work subreddits users subscribe to.

'We learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept, ' the company said.

Reddit said the breach was discovered on 19 June following the attack happening four days prior.

Ambuj Kumar, CEO of Fortanix, noted that malicious actors can intercept text messages using fake base stations or subscriber hijacking attacks, yet many banks and service providers continue to use SMS-based authentication.

But, while Reddit is catching flak for using 2FA in the first place, many are praising the company for being transparent about what has happened and taking steps to correct the situation.

According to the information published, the data accessed is not recent and refers to the years between 2005 and 2007. In what one can only assume is a PR move, Reddit is refusing to publicly reveal the extent of the data breach.

If the passwords haven't been properly salted (unique salt for each password), the attacker might recover some of them relatively quickly and might try to use the compromised account name and password pairs on other websites. It's more secure than SMS simply because the attacker in that case would need to steal your mobile device or somehow infect it with malware in order to gain access to that one-time code. The bad news? It involved a two-factor authentication scam. The core idea behind 2FA is that even if thieves manage to phish or steal your password, they still can not log in to your account unless they also hack or possess that second factor. It's not as hard as you might think. In addition, some sites that do support more robust, app- or key-based two-factor authentication still allow customers to receive SMS-based codes as a fallback method.

All Reddit data from 2007 and before, including account credentials and email addresses.

Related News:



Most liked

Trade threats unnerve global markets
Mr Trump has ultimately threatened tariffs on more than $US500bn in Chinese goods, covering virtually all U.S. imports from China. China says the United States is trying to stop the rise of a competitor and it has imposed its own tariffs on US goods.

National Archives to review all Kavanaugh records by October, potentially delaying confirmation
The documents could be produced earlier via a separate source: the Bush presidential library, which is conducting its own review. However, it should be possible to get the documents to Senators much more quickly than the Archives review process permits.

Public housing becomes smokefree under new policy
HUD wants to reduce exposure to unsafe secondhand smoke, and encourage its tenants to drop the carcinogenic habit. HUD announced in November 2016 that all federally-owned public housing must be smokefree by July 30, 2018.

Engine flaw delays Boeing test of crew capsule to 2019
Initially Congress did not provide as much money as NASA requested because of skepticism that the program would succeed. The crewed test flights were also supposed to take place this year - Boeing's in November and SpaceX's in December.

Rudy Giuliani: Collusion Isn't Even A Crime
This question does remind us that we're talking about two separate things when we look at the Russian Federation investigation. Intelligence and law enforcement officials have warned that Russian Federation would engage in election interference.

White House asserts 'vast' effort to protect elections
President Donald Trump was strongly criticised last month for not condemning alleged Russian actions, while he was in Helsinki. Mr Coats said: "Our focus here today is simply to tell the American people we acknowledge the threat".

Apple officially becomes the first $1 trillion company
But this isn't another tale of Apple's impossible-to-believe profit power, because Apple isn't the powerhouse that it used to be. Since its inception, the company has launched 18 different iPhones with over 1.2 billion devices sold.

John Kelly says Trump wants him to stay at White House
Kelly is credited with bringing order to the West Wing but also grates on the freewheeling president. Job security for Trump's staffers always seems to depend on the whims of their mercurial boss.

Federal judge blocks release of plans for 3D-printed guns
The blueprints for 3D printed guns have been available online for years now, mostly in the deep recesses of the dark web. The states sought a restraining order and an injunction to block the gun info from being posted on the internet.

Brad Ziegler, Jake Diekman traded to Arizona Diamondbacks
He has an overall 1.029 WHIP in his 29 outings this season, averaging 12.0 strikeouts per 9 innings and 0.6 home runs per 9. The 38-year-old Ziegler pitched for Arizona from 2011 through 2016, compiling a 21-11 record and a 2.49 ERA with 62 saves.

Huawei introduced its smartphone giant Honor Note 10: specifications and price
Chances are that there will be 6 gigs of memory on-board along with 128 gigs of storage to play around with. That is a 10nm chip which comes with the Mali-G72 MP12 GPU for graphics processing, and an i7 co-processor.

Force India in administration: 3 teams oppose takeover
But one of the creditors had already prepared a petition, and if it was filed, the team would simply be closed. Force India went into administration following a High Court hearing in London on Friday evening.

Is Kohli in trouble for 'swearing' at Root?
Bairstow played on to paceman Umesh Yadav for 70, trying to cut a ball that was too close to him. Big names Jos Buttler and Ben Stokes couldn't make any impact as the England lost their way.

Armed homeowner killed by police was Vietnam vet
He watched paramedics take away the victim on a gurney. 'He was a family man - a grandpa that was protecting his family. Officers then fanned out inside the house searching room to room for any other possible suspects or victims.

Vettel puts mourning Ferrari ahead of Red Bull
In Hungary, the Dutchman was the latest to suffer due to a reliability problem with his Renault power unit. Verstappen exclaimed to his team: "Can I not just go ahead and **** it".