It's official: Reddit has been hacked.
The forum-hosting website announced Aug. 1 that it was aware of a data breach that occurred between June 14 and June 18 of this year. The hacker gained read-only access to some systems containing backups of user data and source code. Credit: Shutterstock
How did they do this? By intercepting the SMS messages that Reddit administrators received as part of the two-factor authentication process (2FA) to log into Reddit back-end systems.
Don't worry, though -- you're probably safe. The hacker was only able to obtain user data from accounts created before May 2007. Most accounts created after that date are in the clear.
However, for accounts from that time period, the breach was serious. The exposed backup contained account usernames, email addresses, public content including messages and hashed and salted passwords.
"Hashed and salted" refers to protective measures that save passwords as long strings of presumably indecipherable text, but given the age of the data, the hashing algorithm used (Reddit didn't specify which one it was) may have become weaker over time.
The crook also obtained logs containing Reddit's email digests sent between June 3 and June 17 of this year. If you did not have an email address associated with your account, or weren't receiving digests during that period, this part won't impact you.
If you are one of the accounts the hacker hit, you should reset your Reddit password and make sure you're not using it on any other site.
Reddit has reported the issue to law enforcement and will be notifying users of the accounts that were impacted.
There's one more thing: This incident shows how weak SMS-based 2FA mechanisms are when any crook can intercept text messages or have your phone number transferred to another phone.
We still say that any 2FA is better than no 2FA, but if you have the means and patience, or you use 2FA as part of your job, please consider switching from SMS-based 2FA to the Google Authenticator mobile app (which Reddit itself recommends for its users) or a hardware 2FA key that plugs into a USB port.