A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says (reddit.com) 44
A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords, Reddit said Wednesday. From the announcement: Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again. Reddit says the incident occurred between June 14 and June 18 when the hacker "compromised a few of our employees' accounts with our cloud and source code hosting providers." Interestingly, even as Reddit employees maintain 2FA on their accounts, the attacker managed to get access to their data. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company said. The company says it has a reason to believe the attacker had access to the following data: All Reddit data from 2007 and before including account credentials and email addresses. What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007. In Reddit's first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then. How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you're clear here.
Re: (Score:2)
Jesus Christ, you fucking morons, these are social media sites run by private people/companies as they please.
And others are free to criticise them as they please. Whether or not they want to run their own social media website.
They can edit whatever they like
I wouldn't be as confident as you are if it came to court. Even if there's some BS covering this in the small print of the terms and conditions, putting words in someone's mouth without it being obvious this has been done sounds legally dubious to me.
ban people, delete posts, etc., and they wish.
Yes, they can. And others are free to criticise them for this. Whether or not they want to run their own social media website.
Run you own forum or get a fucking life, you fucking idiots!
This whole post is
Re: Actual impact is what? (Score:2)
Re: (Score:1)
Rainbow tabled??? If the hashes were salted, and it says in the summary they were, then rainbow tables would be unlikely. Rainbow tables would have to be generated for each salt, and presuming the salts weren't incredibly stupid the number of hashes per salt wouldn't be common enough to make rainbow tables worthwhile.
However, they could and presumably would generate hashes using a brute force approach.
Re: (Score:2)
11 years ago MD5 was still the go-to encryption of choice. Generating a rainbow table for that is possible in an hour or so with a cluster of rented Amazon GPU servers, at a pretty low price, especially if stolen credit cards are involved. This isn't the problem it used to be.
Now if its properly salted with a salt for each password, sure, its a bit harder, but for a lot of folks salt just means add the word "SECRET" to the start of the password.
Re: (Score:2)
You have no idea what 'salted' passwords means, do you? It doesn't add the word 'SECRET' to every password or any other secret word. It adds a *different* random string to every password. This means rainbow tables are useless because the entire rainbow table would be specific to ONE user's password. It would be completely pointless to generate a rainbow table for ONE user instead of just a brute-force attack on that user, with or without a 'cluster of rented Amazon GPU servers'.
Re: (Score:2)
Depends again on how they salted. If they used one salt for all passwords (as I've seen before) and it was captured too, then game over. However, if each entry had its own salt then yep, you're correct. (And thanks for reading the TFA - I always seem to lose interest before I get there.)
It was a walk-off ... (Score:3)
... steal of a backup tape or EHD by a former Reddit employee.
AC Accounts FTW (Score:1)
This is why I don't have a Reddit, or a Slashdot, account. Can't steal information that doesn't exist.
SMS 2FA (Score:2)
Just more proof SMS 2FA is really just 1FA
Re: (Score:2)
Programming language security had nothing to do with this hack. Someone called the phone company and pretended to be a clueless customer who was trying to port his phone to a new provider. Lazy phone company rep decided that even though the "clueless customer" didn't pass any of the security questions he would go ahead and port the phone away anyway 'to be helpful'. Now the hacker can receive all SMS messages that were supposed to go to the phone. He logs into Reddit's backend as the user and it sends a 2Fa
WTF (Score:2)
A) Why are they even keeping backups that old, and B) not to mention, NOT ENCRYPTED?? Basic Security fail...
Re: (Score:2)
Re: (Score:2)
It's really easy during early startup years to open two or more cloud accounts and then just keep paying the bills because it's cheaper to host the data than pay someone to dig through it and make sure it's ok to delete and won't bring your business crashing down in six months.
One startup I worked at, because of the city we were located in, got $10,000 account credits from digital ocean, linode and a bunch of others, which at $10/mo for data storage is basically forever. And the guy setting those up
Not to worry (Score:2)
Hacker was found in basement having turned to a pillar of salt by looking at Raw Reddit.
SMS Weaknesses (Score:1)
What is the worst that can happen? (Score:2)