Reddit realized that a hacker managed to access its system, and had compromised "a few" employees' accounts with access to its cloud storage and hosting providers.
As a result, according to its blog post, the incident breached some user data, including user posts and private messages, emails and hashed passwords from an old 2007 database backup.
Reddit shared that it realized about the security breach on June 19 and that the hacker had access to a its systems between June 14-18.
According to its blog post:
The hacker also accessed Reddit logs that contained email digests sent between June 3 and June 17.
These digests are short selections of popular posts recommended to users based on the subreddits they've subscribe to. The logs also contain information about usernames with their associated email address.
However, if user didn't tie their email address to their account, or had selected to not receive email digest, they are not affected by this breach.
The company didn't say how many users may have been affected. But recommends that users search their inboxes for emails sent by [email protected] to learn if they were affected. Reddit is also forcing a password reset to those that are compromised.
The attacker did not gain write access to its systems, and wasn't able to alter Reddit information. Reddit has taken prevention measures since the event to further lock down and "rotate all production secrets and API keys, and to enhance our logging and monitoring systems."
Considering this as a serious attack, the company also reported the issue to the law enforcement, and are cooperating with their investigation.
"We’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again."
And as always, updating password is the best practice in situations like this.
The hacker was able to breach Reddit's internal system by using SMS intercept attacks on some of the company’s employees.
This was by re-routing the 2FA code to a different device in order to access the code. Security researchers have warned against using SMS-based 2FA systems because it's known to be insecure. This method has a security hole in which attackers can launch a "SIM swapping" attack to take control of a user's SIM card and all the data coming to their phone number.
Reddit said that users should only use authentication apps or physical authentication tokens for two-factor protection. As chief technology officer Christopher Slowe notes: "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,"
While it’s not as good as a token, or code-based system, SMS-based 2FA systems are still better than nothing at all.