"We've been conducting a painstaking investigation to figure out just what was accessed and to improve our systems and processes to prevent this from happening again", Reddit explained. The platform noted that SMS-based two-factor authentication was clearly not as effective as using an authenticator app. If you're one of those, the attackers know your email address and username but not your password, which has potentially troubling implications discussed below. I'm sure many people have the same password linked across their social media accounts.
This access has been able to intercept the SMS that the Reddit security systems send to their employees, as an additional measure of protection. The incident is particularly important right this minute because of the rise of understanding in the weaknesses in sms-verified authentication. The hacker got read-only access to "some systems that contained backup data, source code, and other logs".
"We learned that SMS-based authentication is not almost as secure as we would hope", wrote Mr Slowe.
Reddit hacked data - what info was stolen in the breach? Reddit learned about it on June 19 and immediately began investigating exactly what was compromised. You can see if your account was affected by following the instructions above.
Reddit users might believe they are relatively anonymous as they need to provide only a username and email address to sign up for an account, but Slowe advised users affected by the breach to think about whether there's anything on their Reddit account that they wouldn't want associated back to that address.
Reddit also said the hacker downloaded some logs for Reddit's email digest feature, and more precisely, for the email digests sent on June 3 and June 17, 2018. The digests are short selections of popular posts recommended to users based on the subreddits they subscribe to. The logs contain the digest emails themselves - theylook like this. You can also check for emails from [email protected] between June 3 and June 17. So that means if you created your account after this date, you should be in the clear.
Basically you'll want to change your Reddit password, as you should every once in a while anyway.
"Another good idea is not to use the leaked password anywhere else".
"Attackers use this information in a few ways", said Travis Biehn, technical strategist at Synopsys. You should also change it for any other accounts that may share the same password.
Passwords were salted and hashed, which sounds vaguely reassuring until you realise it covers a continuum of possibilities from very safe to not very safe at all.
"Given today's security climate, all online companies should use the forms of multi-factor authentication that are appropriate for the data assets being accessed as well as using encryption and key management to secure sensitive data".