Reddit says hackers breached its systems, some user data compromised

Yolanda Curtis
August 3, 2018

Reddit's attackers managed to access two troves of data: an old back-up database from 2005-07 featuring "account credentials (username salted hashed passwords), email addresses, and all content (mostly public, but also private messages)" and email digest logs from between June 3 and June 17, 2018 containing username and email.

The Reddit data breach was discovered on June 19 and appears to have taken place in the days prior-sometime between June 14 and June 18.

"Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today".

To prevent similar attacks from happening in the future, Slowe says Reddit has taken "measures to guarantee that additional points of privileged access to Reddit's systems are more secure".


Attackers gained read-only access to systems with backup data, source code, and "other logs". But those affected will soon receive a message from Reddit alerting them of the intrusion, the company said.

If you believe you are in the group affected by the data breach, you should reset your password even if Reddit doesn't do it automatically.

Siciliano compared the 2015 breach of dating website Ashley Madison, which exposed the names and email addresses of more than 36 million account holders. For example, even though the second factor may be generated by a mobile-based app, that one-time code needs to be entered into the same login page on a Web site along with user's password - meaning both the password and the one-time code can still be subverted by phishing, man-in-the-middle and credential replay attacks.

In a bit of frightening news, it has been revealed that Reddit was hacked and important user data was accessed. So that means if you created your account after this date, you should be in the clear.


If you signed up for Reddit after 2007, this doesn't affect you. In the past, cybercriminals have assumed a victim's identity to trick cellular providers into essentially giving them access to the person's phone number. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to. The company is also encouraging users to enable token-based two-factor authentication through Authy, Google's Authenticator, or a similar service.

Otherwise, Reddit advises you to search your email inbox for emails from noreply@redditmail.com between June 3 and June 17, 2018.

The fact the attackers also gained access to some Reddit source code nearly feels like a small loss even though that is anything but the case.

Security and data breaches have pretty much become the norm for tech companies as of late.


The company has already reported what happened to law enforcement and is cooperating with an investigation.

Other reports by iNewsToday

FOLLOW OUR NEWSPAPER