Reddit took to their blog last night to announce a security incident that affects data from 2007 and older. The security incident also affected some data from 2018. Hackers were able to gain access to some users current email addresses and a database from 2007 containing passwords. Reddit discovered the security incident on June 19th and says the breach occurred between June 14th and 18th.
Reddit says the hacker did not gain write access to its systems but was able to gain read-only access to the systems that contained backups, source code, and logs. The hackers did not alter Reddit information and the company is already taking steps to lock down their system.
What information was involved?
Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:
All Reddit data from 2007 and before including account credentials and email addresses
- What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
- How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 2018
- What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
- How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from firstname.lastname@example.org between June 3-17, 2018.
As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data.
Reddit has informed law enforcement of the security incident and is informing any users affected by the breach. They are also taking the normal steps one would take after such an incident in tightening up security.
Last Updated on August 2, 2018.