Reddit Suffers Data Breach With Hackers Obtaining Email Addresses From Some Users

[MacRumors]

Reddit this morning announced that it has suffered a data breach, with a hacker able to access email addresses from some current accounts and a 2007 database backup that included old salted and hashed passwords.

The data breach occurred between June 14 and June 18, with hackers accessing Reddit employee accounts through the company's cloud and source code hosting providers rather than the site itself. Those systems used SMS-based two-factor authentication that failed, and the main attack happened through SMS intercept.

Reddit has a detailed list of what was accessed. A complete copy of an old database backup containing early Reddit user data was stolen, and Reddit says that the most significant data in the backup included account credentials (username and salted hashed passwords) email addresses, and public and private messages.

Email digests sent by Reddit in June 2018 were also obtained. This included usernames linked to an associated email address along with suggested posts from select subreddits.

Reddit is sending emails to users affected by the database hack, which does not impact people who signed up for reddit after 2007.

Customers who do not have an email address associated with their accounts or who did not check the "email digests" user preference are not affected by the email digest breach.

Reddit has informed law enforcement and is cooperating with an investigation and has taken measures to ensure privileged access to its systems are more secure.

Reddit says it will be resetting the passwords of affected users, but the site recommends all Redditors consider updating their passwords to something strong and unique, as well as enabling two-factor authentication. Reddit's two-factor authentication is via authenticator app and is not vulnerable to SMS intercept.

Article Link: Reddit Suffers Data Breach With Hackers Obtaining Email Addresses From Some Users

 

[macduke]

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.

 

[OldSchoolMacGuy]

As their CEO says, at least they just require username, password, email, so there's not a ton of data to take..... Other than tying all your browsing habits back to your personal email address. Hope you're not into some weird stuff.

 

[44267547]

My own take on Reddit, the one site I hard pass on for any discussion or information related.

 

[KGB7]

Screw that place.... couldn’t care if it burned down.

 

[linkmaster02]

I love Reddit.... hope it continues to flourish.

 

[TomaxXamot]

Glad it’s only a problem that affects those who signed up before 2007, unless I missed something. Reddit was tiny back then compared to nowadays.

I’m a fan of Reddit. I’ve learned a ton of stuff on a wide variety subjects there. Great for keeping up on major news, local news. Of course it has had, and still has, some dark corners, such as r/The_Donald, r/Incels, r/The Red Pill etc, but the majority of subreddits aren’t pure evil.

 

[macduke]

My own take on Reddit, the one site I hard pass on for any discussion or information related.

Yeah I stopped commenting and hardly use it now. Too much of a time suck like Facebook we were talking about earlier and I enjoy discussing things here more when a notification comes in during the day. I liked some of the funny photo content and often the Apple subreddit was a lot more civilized than the MacRumors comment section, which is pretty sad. However I've found the MacRumors forums much more enjoyable after I started using the ignore button. Somebody told me it has a 1000 person limit though that they hit so hopefully I don't hit that anytime soon. Not sure if there is a counter for that somewhere, lol.

 

[QuarterSwede]

Reddit is great if you stay away from the toxic subreddits. There are plenty of really informative and helpful communities like r/personalfinance and r/getmotivated that have tight moderation.

 

[Apple_Robert]

I use it on occasion. I am not affected by the breach. I have 2FA turned on anyway.

 

[Fall Under Cerulean Kites]

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.

Kind of like MacRumors, huh?

 

[fairuz]

Not too bad. Worst case this can be used to log into other sites people used the same email address for, and this is assuming they crack the salted passwords, which they shouldn't be able to. Not that I have an account that isn't askldjfuqigeh@askldfasd.com.

SMS-based two-factor authentication that failed, and the main attack happened through SMS intercept

But this is concerning. SMS intercept? What? I know there's info on this, but it requires knowledge of how all that incredibly complicated cellular stuff works, and I kinda assumed it was secure enough since so many sites rely on it.

 

[macduke]

Kind of like MacRumors, huh?

Oh no. No no no. Not like reddit, lol. That place is like 90% cesspool of the ages. Karma whoring, ****posting, stealing content, and generally high level of debauchery. Some subs have some good content and mods but overall it's mostly a waste of space. So glad I don't hang around there any more.

 

[Giantscruz]

Reddit has seen better days, but still continues to be useful and entertaining.

 

[iapplelove]

My own take on Reddit, the one site I hard pass on for any discussion or information related.

I myself have never been on or used reddit. Maybe if I were a bit younger perhaps.

Some of my friends send my links to articles and Reddit forum discussions and like you I pass.

 

[thisisnotmyname]

Time for:

a) POTS routing system to receive a massive secure upgrade
b) companies to stop relying on SMS as a second factor

 

[tonyr6]

I hate reddit like twitter the most vile garbage online. I block it from Google Searches.

 

[thisisnotmyname]

But this is concerning. SMS intercept? What? I know there's info on this, but it requires knowledge of how all that incredibly complicated cellular stuff works, and I kinda assumed it was secure enough since so many sites rely on it.

This has been around for a while. It's made news recently. Not too hard to social engineer (or outright bribe) mobile company employees to redirect an existing number to a new SIM card and suddenly the bad actor is able to receive the code to reset your account. They redirect to any new email/phone they want and you've lost access. People have been stealing OG screen names on Insta and Twitter that way and selling them for $1000+. Evidently T-Mobile even had a poorly secured tool available for quite a while that allowed people to get account information so they could just call in to the main customer service line and had all the required account information to ask T-Mobile to change SIMs. That tool was closed down recently after being in use for multiple years.
[doublepost=1533153111][/doublepost]Seems like the lead was buried here. These folks got access to Reddit's source code provider? If they have site source now they'll no doubt be looking for anything available to exploit and we should see (or not see but have there exist) a bigger breach soon. No code is perfectly secure and when you have source access it makes it much easier to find the chink in the armor.

 

[DeepIn2U]

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.

More importantly, something I've stated on these boards before, that SMS is NOT a secure delivery method for authentication. Providers may host SMS and you may have the only SIM card but network switches CAN be intercepted and SMS is just plain text ... open text, no encryption. SO many people where breathing down my next ... yet I personally had access to both Rogers Wireless (Canada) and T-Mobile USA's network switches (Ericsson & Nokia respectively) as a rep back in 2001-2004 and I know a phone number can be co-located on more than 1 SIM card, and that a SIM card CAN be cloned ON the switch! I wish I kept training notes and screenshots to upload.

 

[vipergts2207]

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.

Just like the real world. It seems like you think Reddit is some niche site, when in reality it's the 5th most visited website in the U.S., right between Amazon and Wikipedia, and the 17th most visited website in the world.

 

[coolfactor]

Reddit is one of those places that I could never quite get my mind wrapped around. Still find the concepts of "subreddits", etc. difficult to understand. and I'm a software engineer!

 

[Northgrove]

I wonder how many people are freaking out right now wondering if their true identities will be uncovered. Some weirdos on reddit for sure.

Yes I think this will be the greater problem, not only for weirdos, but regular users having posted sensitive stuff or photos before. That e-mail addresses will point to actual names/identities as they often do.

 

[coolfactor]

I hate reddit like twitter the most vile garbage online. I block it from Google Searches.

I use Twitter daily. While there is a lot of nonsense, once you learn to filter through it, it's a great way to connect to those companies that actively and successfully use it for system status updates and social engagement with customers.

 

[macduke]

Just like the real world. It seems like you think Reddit is some niche site, when in reality it's the 5th most visited website in the U.S., right between Amazon and Wikipedia, and the 17th most visited website in the world.

Did you just assume my membership? What kind of a neckbeard does that? Are you fraking sorry? I oughta break both your arms. *REDDITING INTENSIFIES*

Ah, the ol' Reddit switcharoo.

I wrote that in full understanding. Lots and lots of weirdos on that site with throwaways that might be tied to real emails using their name writing things that could ruin their careers or standing in society once they're doxed.

 

[fairuz]

This has been around for a while. It's made news recently. Not too hard to social engineer (or outright bribe) mobile company employees to redirect an existing number to a new SIM card and suddenly the bad actor is able to receive the code to reset your account. They redirect to any new email/phone they want and you've lost access. People have been stealing OG screen names on Insta and Twitter that way and selling them for $1000+. Evidently T-Mobile even had a poorly secured tool available for quite a while that allowed people to get account information so they could just call in to the main customer service line and had all the required account information to ask T-Mobile to change SIMs. That tool was closed down recently after being in use for multiple years.

Lol, I was thinking of the technical side and forgot about that option. That makes sense.
[doublepost=1533154390][/doublepost]

Reddit is one of those places that I could never quite get my mind wrapped around. Still find the concepts of "subreddits", etc. difficult to understand. and I'm a software engineer!

Same, I feel the site is very hostile to new users cause of bad UI and weird rules like "minimum karma," so I never bothered trying to participate. It's also just too big. But I find some good info there from Google searching.