We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Coronavirus Read our latest advice

Reddit users hit by data breach

Usernames, email addresses and passwords were snatched in a four-day hack in June

Reddit users hit by data breach

Popular social media site Reddit has suffered a data breach involving usernames, passwords and email addresses – but it’s refusing to say how many users have been affected.

In June this year hackers broke into several Reddit employees’ accounts by intercepting verification texts. Once in, they accessed two sets of user data, some of which stemmed back to the site’s launch in 2005.

In a move which has baffled security experts, the site has vowed to contact only some victims of the breach, and has encouraged others to perform certain checks to determine whether they’re affected.

If you have a Reddit account, read on to find out what you need to do to stay secure.

Plus know your rights if your personal data has been lost.

Signed up to Reddit before June 2007?

The hackers obtained details from user accounts dating from the site’s launch in 2005 through to May 2007. This includes usernames and passwords, email addresses and public and private messages from this period.

If you’re a victim of this, Reddit says it will email you soon and it plans to forcibly reset passwords on accounts where it fears the stolen credentials may still work.

Signed up to Reddit more recently?

Sadly you’re not out of the woods. If you received any email digests from Reddit between 3-17 June this year, the hackers have your username and email address, as well as suggested posts based on the interests (known as subreddits) you’ve recorded on the site.

Reddit says it won’t contact these victims. Instead, it’s asking users to determine whether they’re affected by searching their email inboxes for mail from the address ‘noreply@redditmail.com’ received between 3-17 June.

It’s not clear whether Reddit plans to reset passwords for this group, but in an on-site message it’s encouraged users to ‘think about whether there’s anything on your Reddit account that you wouldn’t want associated back to [your email] address’. It’s provided instructions on deleting data from your Reddit account.

Staying safe online

Regardless of whether you think you’ve been affected, it’s a good idea to reset your Reddit password and ensure you’re not using the same or similar passwords on other sites. Check out our tips on how to make a truly strong password.

You should also be wary of any phishing scams which could utilise the stolen data – for example, by questioning the validity of emails which claim to come from trusted organisations. Don’t click on email or text links or call phone numbers contained in such messages unless you’re absolutely certain they are genuine.

Data breach: mixed reactions

Reddit’s two-pronged approach to notifying breach victims has caused confusion even among experts. Troy Hunt, founder of data breach directory haveibeenpwned.com, tweeted his queries:

Others questioned why Reddit took over a month to bring the breach to public attention:

Writing online, Reddit chief technology officer Christopher Slowe said his team had been conducting a ‘painstaking investigation’ in recent weeks to uncover what was stolen.

He added that the breach had taught the company that text message-based authentication is ‘not nearly as secure as we would hope’. For more information on two-factor authentication (2FA) and how it could protect your online accounts, see our guide.

Back to top
Back to top