Reddit, one of the most popular websites on the planet, announced that a hacker broke into some of its systems and was able to access certain user data, including current email addresses and a 2007 database backup containing salted and hashed passwords.
The hacker compromised staff accounts with Reddit's cloud and source code hosting providers. This occurred despite using two-factor authentication (2FA) to protect accounts from this very sort of thing.
"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA," Reddit stated in a post to users.
The security breach took place between June 14-18. Reddit learned about it on June 19 and immediately began investigating exactly what was compromised. Included in the 2007 database backup are public and private messages dating back to 2005, along with usernames, passwords, and email addresses.
Reddit said the hacker also accessed more recent logs containing email digests sent between June 3 and June 17, 2018.
"The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to," Reddit added.
Reddit reported the incident to law enforcement and is currently aiding with the outside investigation. It's also taken measures to beef up security at other points of privileged access to its systems, such as enhanced logging, more encryption, and requiring token-based 2FA.
While the fallout doesn't look to be all that extensive, Reddit offered up some sound advice to users.
"If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today," Reddit said.