NERD WATERCOOLER Reddit has admitted it suffered a breach that saw hackers make off with some users' current email addresses and a database containing older accounts.
The data breach took place between 14 June and 18 June, when as-yet-unknown culprits accessed employee accounts through an SMS intercept attack, Reddit's chief technology officer Christopher Slowe said in a post to r/announcements.
"We learned that SMS-based authentication is not nearly as secure as we would hope," Slowe wrote.
As a result, Reddit says hacker(s) was able to grab backup data, source code, and other logs from its hosting providers, including an old database holding 2005 to 2007 that included usernames, email addresses, public messages, private messages and passwords that had been hashed and salted.
Logs containing email digests sent by Reddit from 3 June to 17 June were also grabbed, including usernames, associated email addresses, and suggested posts from "select popular and safe-for-work subreddits you subscribe to."
"As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data," Slowe added.
"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems."
Reddit says it plans to notify all affected users and is encouraging users to reset passwords for accounts that might still be using decade-old passwords. It's also all urging all users to enable token-based two-factor authentication.
Users who signed up to Reddit after May 2007, and messages and posts published, are not affected.
"In other news, we hired our very first Head of Security, and he started 2.5 months ago," added Slowe.
"I'm not going to out him in this thread for obvious reasons, and he has been put through his paces in his first few months. So far he hasn't quit." µ
CNIL slams firm's lack of transparency around user data
Some like it less hot
India's five message limit rolls out globally