Reddit hackers compromise pre-2007 user data and a bunch of email addresses

Reddit was hacked back in June, with the attacker gaining access to user data including some current email addresses and encrypted passwords that were in use prior to 2007. If you meet the criteria mentioned in the full breakdown, you should probably change your Reddit password – and you should probably look into two-factor authentication, either way.

Somewhere between June 14 and 18, a hacker compromised a handful of Reddit employee accounts with the site’s hosting providers. Access was gained via SMS intercept to bypass the two-factor authentication system. The hacker was able to gain “read-only access to some systems that contained backup data, source code and other logs.”

More specifically, two years worth of data from Reddit’s launch in 2005 through May 2007 were compromised. That includes usernames, salted hashed passwords, email addresses, and both public site content and private messages. If you were a Reddit early adopter, you need to take the usual set of post-compromise security precautions. Reddit will soon be sending out emails and PMs to affected users to help with those steps.

Recent Reddit users aren’t entirely out of the woods, either. Email digests sent between June 3 and 17 were also compromised, which contain usernames, email addresses, and info on a selection of popular subreddits you might subscribe to. (Don’t worry, nothing NSFW is in that list, so your Reddit porn habits haven’t been outed.) If you received those digests during that time, your email is probably out there.

Most of the other data accessed is on the Reddit backend, so there isn’t expected to be other compromised user data. Regardless, Reddit is working with law enforcement in attempting to track down the hacker, and is taking steps to make its internal access more secure. The full breakdown is available on Reddit proper. Make sure your security bases are covered.