Reddit has revealed that it suffered two significant data breaches last month but won’t reveal how many people were affected. It’s also only contacting those affected by the smaller breach, prompting criticism by security experts.
The attack took place between 14-18 June this year after hackers were able to access the accounts of two Reddit employees by intercepting the SMS message sent out when a person uses two-factor authentication to login.
Once inside those accounts the hackers were able to access two key pieces of data. The first is a complete backup of all Reddit data including usernames, old passwords, email addresses, public posts and private messages from 2007 all the way back to the site’s launch in 2005.
Reddit has said that as a response it will be sending messages to all those it believes are affected and resetting the passwords of all the accounts that were included. It also notes that, “If you signed up for Reddit after 2007, you’re clear here.”
The second piece of data that was stolen is potentially more worrying. The attackers were able to gain access to a list of everyone who received Reddit’s personalised ‘Email Digest’ between 3-17 June, 2018.
While accessing what is essentially a personalised newsletter is not that worrying, what is concerning however is that the list connects usernames to the email addresses associated with that account.
Anonymity is a big part of Reddit’s popularity, and by connecting usernames to email addresses it could allow a hacker to discover a person’s identity against their will.
So far Reddit’s response to this has simply been to ask people to delete any posts they wouldn’t want associated with their real identity.
Reddit hasn’t confirmed the exact number of people affected either, instead it simply states: “If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected.”
It also hasn’t confirmed it if will be contacting those affected by this second breach and hasn’t given any advice on what users should do next if they have been affected.
Speaking to the BBC, renowned security expert Troy Hunt said: “This is personally identifiable data that’s been exposed in what is unequivocally a data breach, why on earth wouldn’t you notify people?”
What to do if you’re worried you’ve been hacked?
If you’re worried your account was affected by the first attack then thankfully there are some steps you can take.
Anyone who created an account between 2005-2007 might be affected. In which case Reddit has said that it will be contacting you via email and resetting your password. Accounts created after 2007 are not affected by this hack.
If you’re worried about the second attack then things get slightly more vague.
Reddit says that the logs include anyone who received the Email Digest between 3-17 June.
Reddit’s official advice is: “If you don’t have an email address associated with your account or your ‘email digests’ user preference was unchecked during that period, you’re not affected.”
It does also say that one way of finding out is by searching your own email inbox for any emails from firstname.lastname@example.org between the 3-17 June.
If you have been affected and you’re worried about your anonymity on Reddit, the company’s advice has simply been that you should delete any posts that you’re worried about being read publicly.
“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address,” writes Reddit’s Chief Technology Officer Christopher Slowe.