Social news aggregation and discussion website, Reddit on Wednesday, 01 August, 2018, said that a hacker broke into its systems and accessed some user data which included current email addresses and a 2007 database backup containing old encrypted passwords.
A statement on Reddit's website read:
"A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and to process to prevent this from happening again."
Reddit explained that though the hacker was able to access some current email addresses and a 2007 data backup which contained old salted and hashed passwords, the attacker only gained read-only access to some systems and not did not write access.
The social media website went on to say that:
"Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems."
Reddit said that the breach was carried out by intercepting text messages that were meant to reach employees with one-time login codes.
"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we hope, and the main attack was via SMS intercept," Reddit said.
Also Read: This Malicious Battery Saver App Has Infected Over 60,000 Android Device
Reddit advised all of her users to move to token-based 2FA as it assured users that they had taken steps since the occurrence of the event to further lock down and rotate all production secrets and API keys, and to strengthen their logging and monitoring systems.
The social media site added that it was notifying affected users of the breach.