Reddit, which bills itself as the front page of the internet, fell victim to one of the internet’s oldest and most pressing issues: hacking.
Earlier today, Reddit disclosed that “a hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database containing old salted and hashed passwords.”
Before we dive into what exactly happened, we want to first let you know what you can do now to protect your accounts.
Protect your Reddit account by updating your password now.
If you’ve ever signed up for a Reddit account, we recommend updating your password now.
It’s always important to remember that the best way to protect your accounts is to use unique, complex passwords for every account. It’s easy to create those passwords with the Password Generator, located in all Dashlane apps and available via the web extension any time you sign up for a new account in your browser.
That means no more password reuse.
In your password health screen, your Reddit password will be located under the “Compromised” tab, since it was compromised in this hack.
Grouped together with your compromised Reddit password will be any other reused or similar passwords that you use for other accounts. We recommend changing all of those passwords as well to prevent cybercriminals from gaining access to accounts for which they already have the password!
Additionally, we always recommend locking up critical accounts with two-factor authentication (however, we do not recommend SMS-based two-factor authentication!).
So, what happened in this Reddit hack?
Speaking of SMS-based two-factor authentication, the hacker was able to gain access to a few Reddit employee’s accounts by securing primary access points for their accounts and then intercepting their SMS-codes used for two-factor authentication.
The hacker was able to gain read-only access (thankfully), which gave them access to “some systems that contained backup data, source code and other logs.” The hacker was unable to alter any Reddit user information.
Reddit has since locked down and rotated all production secrets and API keys in order enhance its monitoring system and logs.
What critical information was compromised during the hack?
- All Reddit data from 2008 and before, including account credentials and email addresses
- Email digests sent by the company in June 2018
Again, updating your compromised password, as well as any associated passwords protecting other accounts, is the first and most important step for you to take at this time.
In the meantime, their team is working with law enforcement to investigate the issue further, and they will be messaging users whose accounts have been affected. Additionally, they will be switching from SMS-based two-factor authentication in order to secure their systems.
The lesson, as always? Use unique, complex passwords everywhere.
We applaud Reddit for their transparency during this time. It’s not often that you see a company come out and give thorough details of a hack or breach event that has recently been discovered.
Still, with continued hacks, breaches, and data abuses, the fight to protect your personal data rages on—we will hopefully soon be in a world where private data remains private.
Until then, make sure that all of your passwords are unique and complex, and that you change compromised passwords (and associated passwords) as soon as possible.