Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security

A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says (reddit.com) 44

A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords, Reddit said Wednesday. From the announcement: Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again. Reddit says the incident occurred between June 14 and June 18 when the hacker "compromised a few of our employees' accounts with our cloud and source code hosting providers." Interestingly, even as Reddit employees maintain 2FA on their accounts, the attacker managed to get access to their data. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company said. The company says it has a reason to believe the attacker had access to the following data: All Reddit data from 2007 and before including account credentials and email addresses. What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007. In Reddit's first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then. How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you're clear here.
This discussion has been archived. No new comments can be posted.

A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says

Comments Filter:
  • by CaptainDork ( 3678879 ) on Wednesday August 01, 2018 @12:58PM (#57050260)

    ... steal of a backup tape or EHD by a former Reddit employee.

  • by Anonymous Coward

    This is why I don't have a Reddit, or a Slashdot, account. Can't steal information that doesn't exist.

  • Just more proof SMS 2FA is really just 1FA

  • by Wolfrider ( 856 )

    A) Why are they even keeping backups that old, and B) not to mention, NOT ENCRYPTED?? Basic Security fail...

    • by Hadlock ( 143607 )

      It's really easy during early startup years to open two or more cloud accounts and then just keep paying the bills because it's cheaper to host the data than pay someone to dig through it and make sure it's ok to delete and won't bring your business crashing down in six months.

      One startup I worked at, because of the city we were located in, got $10,000 account credits from digital ocean, linode and a bunch of others, which at $10/mo for data storage is basically forever. And the guy setting those up

  • Hacker was found in basement having turned to a pillar of salt by looking at Raw Reddit.

  • They were using SMS 2FA? Really?? That said it sounds like the number impacted was small, so at least Reddit learned from this (relatively) smaller incident instead of something bigger happening.
  • Reddit supports anonymous users. If I get compromised on one of my accounts the worst that can happen is someone posts praising Obama in r/the_donald making me lose 10,000+ karma points. Not terribly important IMHO.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...