Between June 14th and June 18th, several Reddit employees’ accounts were breached, subsequently compromising Reddit user data. Although the attackers gained read-only access, your data may have been affected.
What data was affected?
Per Reddit’s written statement, “A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.”
How did it happen?
Although the employee accounts tied to the breach were protected by SMS-based two-step verification, the hackers were able to intercept the SMS messages. Reddit has yet to disclose how exactly the interception occurred. They have, however, since taken measures to replace SMS-based verification with a more secure token-based two-factor authentication.
SMS-based OTP, while convenient, is unfortunately vulnerable to this sort of interception; SIM-Swap and port-out scams are common methods. In 2016, the National Institute of Standards (NIST) stopped recommending two-step verification systems that use SMS due to the associated insecurities, although still noting that SMS-based OTP was still better than no additional verification.
A more secure option than SMS
A preferred form of 2FA uses a one-time passcode referred to as TOTP (Time-based one-time password). This method requires a user to download and install a 2FA application on their device. At sign-in, the user first enters a username and password. Then, when prompted, they enter the time-based code shown on the app. Because the code is generated and displayed on the same device, the mobile provider is removed from the login process, eliminating the chance of hacker interception. Commonly used TOTP applications are Google Authenticator and Authy.
Was my information compromised?
If your email address was associated with your account or if your “email digests” user preference was checked, you may have been affected. Search your email inbox for emails from noreply@redditmail.com between June 3-17, 2018.
Next steps
- Reset your Reddit account credentials and any other accounts that may have utilized the same credentials. Use RoboForm’s password generator feature to ensure your new password is long, random, and unique.
- Enable TOTP-based 2FA. RoboForm’s 2FA options include Google Authenticator, Authy, Microsoft Authenticator and other time-based one-time password authenticator apps. For instructions on how to enable 2FA for your account, visit our online Help Center.
- If you’d like to delete information associated with your Reddit account, you can find instructions on removing your data here.
Get RoboForm today!