Popular social media site Reddit has suffered a data breach involving usernames, passwords and email addresses – but it’s refusing to say how many users have been affected.
In June this year hackers broke into several Reddit employees’ accounts by intercepting verification texts. Once in, they accessed two sets of user data, some of which stemmed back to the site’s launch in 2005.
In a move which has baffled security experts, the site has vowed to contact only some victims of the breach, and has encouraged others to perform certain checks to determine whether they’re affected.
If you have a Reddit account, read on to find out what you need to do to stay secure.
Signed up to Reddit before June 2007?
The hackers obtained details from user accounts dating from the site’s launch in 2005 through to May 2007. This includes usernames and passwords, email addresses and public and private messages from this period.
If you’re a victim of this, Reddit says it will email you soon and it plans to forcibly reset passwords on accounts where it fears the stolen credentials may still work.
Signed up to Reddit more recently?
Sadly you’re not out of the woods. If you received any email digests from Reddit between 3-17 June this year, the hackers have your username and email address, as well as suggested posts based on the interests (known as subreddits) you’ve recorded on the site.
Reddit says it won’t contact these victims. Instead, it’s asking users to determine whether they’re affected by searching their email inboxes for mail from the address ‘firstname.lastname@example.org’ received between 3-17 June.
It’s not clear whether Reddit plans to reset passwords for this group, but in an on-site message it’s encouraged users to ‘think about whether there’s anything on your Reddit account that you wouldn’t want associated back to [your email] address’. It’s provided instructions on deleting data from your Reddit account.
Staying safe online
Regardless of whether you think you’ve been affected, it’s a good idea to reset your Reddit password and ensure you’re not using the same or similar passwords on other sites. Check out our tips on how to make a truly strong password.
You should also be wary of any phishing scams which could utilise the stolen data – for example, by questioning the validity of emails which claim to come from trusted organisations. Don’t click on email or text links or call phone numbers contained in such messages unless you’re absolutely certain they are genuine.
Data breach: mixed reactions
Reddit’s two-pronged approach to notifying breach victims has caused confusion even among experts. Troy Hunt, founder of data breach directory haveibeenpwned.com, tweeted his queries:
So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN
— Troy Hunt (@troyhunt) August 1, 2018
Others questioned why Reddit took over a month to bring the breach to public attention:
@reddit got hacked and data from 2007 and before, including #credentials were stolen. They are aware since June 19th and only communicate now! WTF?! My advice peeps: do change your password from time to time and never trust companies like this one. https://t.co/0o349C0LAz
— Gaétan (@GaetanICT) August 1, 2018
Writing online, Reddit chief technology officer Christopher Slowe said his team had been conducting a ‘painstaking investigation’ in recent weeks to uncover what was stolen.
He added that the breach had taught the company that text message-based authentication is ‘not nearly as secure as we would hope’. For more information on two-factor authentication (2FA) and how it could protect your online accounts, see our guide.