Are you a Reddit user? How long have you been using it? Were you using it in 2007? It’s hard to remember, isn’t it? If you get it figured out, and you were using it more than a decade ago in 2007, your personal information may have been stolen. Hackers breached the Reddit systems and stole a cache of user data, but it’s data that’s eleven years old.
The Breach
Sure, Reddit is a great place to go if you like to read the news and then discuss it. It always has been, in fact, since 2005. You don’t even have to register to read the content there, but if you want to submit your own news, vote on others, or discuss what you’re reading, you need to have an account.
The Reddit systems were hacked in mid-June, with it being discovered on June 19. The personal information that was stolen included current email addresses and passwords from 2007.
“Since then we’ve been conducting a painstaking investigation to figure out just what was accessed and to improve our systems and processes to prevent this from happening again,” said Reddit chief technology officer and founding engineer, Christopher Slowe, in a post on Reddit.
The Problem with SMS-Based Authentication
What made the breach possible was that Reddit was using an outdated form of two-factor authentication on the employee accounts, according to Slowe. When an employee logged in, they received an SMS message with a one-time code to enter after their password. But this system isn’t considered safe anymore, as it’s too easy for attackers to intercept the codes from the texts.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” explained Slowe. Thankfully, they’re changing their employee login system so that this type of thing doesn’t happen again.
The passwords that were stolen were hashed, meaning they were put through an encryption process to scramble them into a long string of random characters to make it more difficult to piece them together again. But hashing has improved in the past decade, and those older techniques are now seen as being easy to break.
The US National Institute of Standards and Technology said in 2016 that it wouldn’t recommended SMS-based authentication moving forward. A year later they released an official guide showing the risks that are taken when SMS-based authentication is used to secure an organization’s systems.
Slowe admitted they weren’t always able to avoid using SMS-based authentication because of the third-party software they were using. However, Slowe reports they have “since resolved this.” He added, “We point this out to encourage everyone here to move to token-based two-factor authentication.”
Moving Forward
Are you worried you haven’t changed your Reddit password since 2007? Slowe said they’ll be reaching out to you if you were affected by this breach. If your password was breached, and you’re still using it, you’ll be forced to reset it. But frankly, at this point, I’m not sure why you wouldn’t want to reset it.
“Whether or not Reddit prompts you to change your password,” added Slowe, “think about whether you still use the password you used on Reddit eleven years ago on any other sites today.”
Are you worried your 2007 password was breached? Were you using Reddit back then and forgot all about it, leaving your password vulnerable? Let us know where you stand with this Reddit breach.
