Reddit reveals major data breach, promises security fix – Info PR
Reddit became the latest company to reveal that hackers gained access to
private information, including email addresses, user credentials and
private messages. While much of the data was old archival information, some
of the user data was currently active.
Reddit revealed the breach
in a blog post:
On June 19, we learned that between June 14 and June 18, an attacker
compromised a few of our employees' accounts with our cloud and source code
hosting providers. Already having our primary access points for code and
infrastructure behind strong authentication requiring two factor
authentication (2FA), we learned that SMS-based authentication is not
nearly as secure as we would hope, and the main attack was via SMS
intercept. We point this out to encourage everyone here to move to
For users looking for a less-dense version, the company offered this
: A hacker broke into a few of Reddit's systems and managed to access some
user data, including some current email addresses and a 2007 database
backup containing old salted and hashed passwords. Since then we've been
conducting a painstaking investigation to figure out just what was
accessed, and to improve our systems and processes to prevent this from
3 helpful tips for your crisis comms prep]
Noticeably missing from the announcement was any kind of apology. Instead,
Reddit offered actions that it was taking to protect users in the future:
Some highlights. We:
- Reported the issue to law enforcement and are cooperating with their
- Are messaging user accounts if there's a chance the credentials taken
reflect the account's current password.
- Took measures to guarantee that additional points of privileged access to
Reddit's systems are more secure (e.g., enhanced logging, more encryption
and requiring token-based 2FA to gain entry since we suspect weaknesses
inherent to SMS-based 2FA to be the root cause of this incident.)
A key part of Reddit's explanation hinges on the use of SMS-based
two-factor authentication (2FA).
So how did this happen? It appears that SMS-based
played a key role.
“Already having our primary access points for code and infrastructure
behind strong authentication requiring two factor authentication (2FA), we
learned that SMS-based authentication is not nearly as secure as we would
hope, and the main attack was via SMS intercept,” notes the statement. “We
point this out to encourage everyone here to move to token-based 2FA.”
However, some in the tech industry can't believe that Reddit wasn't more
Though the average consumer may not have heard about the dangers of using
SMS in two-factor authentication, the tech community has
known about the risk for a few years. Yet somehow Reddit missed the memo.
Others chimed in on twitter that 2FA is a bad industry practice:
Reddit got hacked. They were using SMS 2FA. Never use SMS 2FA. Always use an external authenticator. pic.twitter.com/ELBOPwQn7v
— Emptybeerbottle (@Fullbeerbottle) August 1, 2018
For users who have been compromised, Reddit recommends these steps:
If your account credentials were affected and there's a chance the
credentials relate to the password you're currently using on Reddit, we'll
make you reset your Reddit account password. Whether or not Reddit prompts
you to change your password, think about whether you still use the password
you used on Reddit 11 years ago on any other sites today.
If your email address was affected, think about whether there's anything on
your Reddit account that you wouldn't want associated back to that address.
You can find instructions on how to remove information from your account on
And, as in all things, a strong unique password and
(which we only provide via an authenticator app, not SMS) is recommended
for all users, and be alert for potential phishing or scams.
The breach follows a string of data loss events from major organizations,
What do you think of Reddit's crisis response, PR Daily readers?
Article Prepared by Ollala Corp