Reddit, the social media outlet known for providing their users with anonymity across their site has admitted to losing users account info in a hack that took place in June of 2018.
Reddit released an announcement on the home page of their site. There, they broke down exactly what happened and what it means for their users. The first part of the information involved in the breach included all Reddit data from 2007 and before (including account credentials and email addresses). It is worth noting that Reddit had far fewer users and information flowing through their site in 2007.
Reddit has contacted any users affected by the information stolen from 2007 and earlier. They will also grant those users permission to reset their credentials and account info (assuming they are still valid). The users who have signed up after 2007 are not a risk to have those same credentials stolen.
The second part of the breach included recent information from email digests sent by Reddit this past June. The logs held email digests that Reddit sends out to users who opt to receive them. In the breach, hackers managed to acquire logs sent between June 3rd and June 17th, 2018. By acquiring these logs the hackers were also able to gain access to the emails that received them.
From the announcement:
The digests collected earlier this summer connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
It’s not bad news for everyone. Reddit stated that the users who neither received a digest email or opted in for receiving the digest email during the period are safe.
So How Did This Happen?
Reddit was adamant in explaining that the users are free and clear from any blame in this breach. Further investigation into the breach found that hackers managed to hack a few of Reddit’s own employees.
While 2-factor authentication is usually used to prevent hacks, Reddit learned in their investigation that this isn’t always the case. The type of authentication that allowed for hackers to poke a hole in their system was SMS based authentication.
SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
The announcement was careful to point out that this shouldn’t deter anyone from using all 2 Factor authentication. Instead, it recommended that users make sure they use the token based 2-factor authentication provided through the Reddit authenticator app, NOT SMS.
What Can Be Done With This Account Information
If you are a Subscriber to ScoresMatter you may already know how criminals use a person’s stolen details. They typically establish an initial identity profile using a stolen email address. They then build the profile by appending personal details such as name, address, and financial data such as your payment card or bank details. Many times they purchase these emails and any information connected to them in the Dark Web.
In Reddit’s case, there is potential for criminals to connect a user’s email to their Reddit account info associated with it. While the purpose of Reddit is to afford users a social media experience that provides anonymity, many Reddit users may leave enough clues in their profile that criminals can use to help compile an identity profile. With ScoresMatter’s Dark Web Scan, Reddit users and other breach victims can scan the Dark Web to see if their email is for sale.
If you happen to fall into one of the millions of Reddit users, don’t wait to see if they will contact you, scan to see if you are on the Dark Web now.