![](\"https:\/\/media.wired.com\/photos\/5b620c800a4a950b900cf5c3\/master\/pass\/Reddit%20User%20Data%20Breached%20Because%20of%20Woefully%20Insecure%20Two-Factor%20Setup.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Wed, 01 Aug 2018 20:38:35 +0000<\/strong><\/p>\n Reddit said in <\/span>a blog post<\/a> Wednesday that a hacker broke into the company's systems in June and gained access to a variety of data, including user emails, source code, internal files, and \u201call Reddit data from 2007 and before.\u201d And it likely could have been avoided if some Reddit employees were using two-factor authentication apps or physical keys instead of their phone numbers.<\/p>\n "On June 19, we learned that an attacker compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes," a Reddit spokesperson said in a statement. (Advance Publications, which owns WIRED publisher Cond\u00e9 Nast, is Reddit's majority shareholder.) "We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future. A small number of users were affected and have been notified."<\/p>\n Among the compromised information was a 2007 Reddit database backup, which means if you were using the platform back then, your account information from that time\u2014like your email address, username, and password\u2014has been exposed. Reddit says the passwords were protected by cryptographic salting and hashing<\/a> defenses, but if you still use that old password for your Reddit account, or any online account, you should change it to a strong, random password in case the Reddit trove can be cracked.<\/p>\n \u201cSince the salting and hashing is going back to 2006 or 2007, it's likely suboptimal," says Kenn White, director of the Open Crypto Audit Project. "Everyone should probably change their passwords.\u201d<\/p>\n 'A high-value property like Reddit secured with some dude's mobile number is no bueno.'<\/p>\n Kenn White, Open Crypto Audit Project<\/p>\n Reddit also noted that logs from June 3 to June 17, 2018, related to the platform\u2019s \u201cemail digests\u201d were exposed. This is a problem, because access to that information would allow attackers to see the usernames connected to each user email address\u2014helpful information if you\u2019re trying to compromise accounts. The digests also make suggestions about posts and subreddits a user might like, which potentially gives attackers additional information about individuals on Reddit.<\/p>\n Those are the main user impacts the company is highlighting, but chief technology officer Christopher Slowe mentions in the blog post that the breach also compromised \u201cReddit source code, internal logs, configuration files and other employee workspace files.\u201d All those things combined could give hackers deep insight into Reddit\u2019s fundamental structure and architecture, which creates a long-term risk the company will need to address.<\/p>\n \u201cOnce a criminal sneaks in through a window in your house in the middle of the night, yes, they can steal your china, snap a picture of your bank statements, and drink your beer,\u201d White says.<\/p>\n Attackers got into Reddit\u2019s systems by compromising some employee administrative accounts for company cloud storage and source code storage. Slowe notes in the blog post that the employees were using two-factor authentication to protect these crucial accounts, but some number of them had that layer of protection set up with SMS\u2014meaning someone would need a code texted to their mobile number to complete an account login. The problem is that SMS-based two-factor is known to be insecure, because attackers can launch a \u201cSIM swapping\u201d attack to take control<\/a> of a user\u2019s SIM card and all the data coming to their phone number.<\/p>\n Though the average consumer may not have heard about the dangers of using SMS in two-factor authentication, the tech community has known about the risk for a few years<\/a>. Yet somehow Reddit missed the memo. \u201cWe learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,\u201d Slowe wrote on Wednesday.<\/p>\n \u201cWhat they are saying is that their cloud infrastructure had high-privilege accounts secured by crappy two factor protections and one of their admins was popped,\u201d White says. \u201cA high-value property like Reddit secured with some dude's mobile number is no bueno.\u201d<\/p>\n Reddit says that it will notify users whose current account password relates to credentials compromised in the breach, and will prompt those affected individuals to change their passwords. The company is encouraging everyone to \u201cthink about whether you still use the password you used on Reddit 11 years ago on any other sites today. If your email address was affected, think about whether there\u2019s anything on your Reddit account that you wouldn\u2019t want associated back to that address.\u201d<\/p>\n The company also says users should do as it says, not as it (apparently) does, and only use authentication apps<\/a> or physical authentication tokens for two-factor protection. As Slowe notes, SMS-based two-factor is not an option for Reddit accounts.<\/p>\n