Reddit suffered a data breach in June, the company announced. The data accessed by the hacker includes a list of current email addresses and a 2007 database backup that contains some salted and hashed passwords.
According to Reddit, on June 19 they learned that between June 14 and June 18 an attacker compromised the accounts of some of their employees with the cloud and source code hosting providers. The company puts the blame on two-factor authentication for the happening, saying it's not nearly as secure as they'd hope, as the main attack took place by intercepting SMS.
So, what information was involved? The company claims that all Reddit data from 2007 and before was affected, including account credentials, and email addresses. The company is sending out messages to affected users and automatically resetting passwords on accounts where those very same credentials might still be valid. Hopefully, there aren't that many, given how the data is over a decade old.
The hackers also accessed the email digests sent by the platform in June 2018, between the 3rd and the 17th. This means that they know which topics each user was getting, based on the suggested posts, subreddits subscriptions and so on.
The problem with the whole situation is that they've known what happened since June 19 and have just now announced it to the world, which makes for a pretty big deal. It's not necessarily important whether the data was important, sensitive or not - but a data breach happened and people information was exposed. And yet, here we are, a month and a half later and we're barely just hearing about this. There's also no number attached to the announcement, so how many accounts were really affected?
"I would equally be cautiously optimistic about the size of the disclosed data breach and thoroughly ascertain that no other systems or user accounts were compromised. Often large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams. While attack vectors of the first group are being mitigated, others are actively exploited, often not without success," High-Tech Bridge's CEO Ilia Kolochenko told TechNadu via email.
He also suggested that blaming the two-factor authentication via SMS is not ideal, as in many cases it's still better than nothing. What we should be focusing on, instead, is how the attackers got the passwords and the mobile phone number of Reddit employees before the security feature was compromised. "Moreover, when most of the business-critical applications have serious vulnerabilities varying from injections to RCE, 2FA hardening is definitely not the most important task to take care of," Kolochenko added.