Reddit has disclosed a breach of its systems that compromised user data including some current email addresses and salted and hashed passwords from a 2007 database backup.
On Wednesday, the web content aggregation platform notified users that a hacker gained access to several employee accounts via SMS intercept between June 14 and June 18. Reddit became aware of the attack on June 19 and says it has since mitigated the threat and rolled out improved systems and processes to prevent it from happening again.
Reddit uses two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure, but Reddit said SMS-based authentication, which was targeted by the attacker, is “not nearly as secure” as the company thought.
“We point this out to encourage everyone here to move to token-based 2FA,” the company said.
SMS hijacking is an increasingly common mode of attack, and critics of SMS 2FA will argue that it’s actually a two-step verification process, which is considerably weaker than 2FA via a physical security key.
In terms of what exactly was accessed, Reddit said attackers obtained read-only access to systems, source code and other logs. This includes a complete copy of an old database backup of Reddit user data from the site’s launch in 2005 through May 2007. It contained account credentials, email addresses and all content, including private messages.
“They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the company said.
Reddit is contacting affected users and requiring password changes for anyone still using the same password from 11 years ago.