Slowe on the r/announcement explains the about the hacking incident saying that Reddit employees use two-factor authentication to secure their credentials to the site, but then also attacker compromised a few of Reddit employees’ accounts with their cloud and source code hosting providers. The attack relied on intercepting text messages that were supposed to reach those employees containing single-use login codes. In the meantime, Reddit encourages everyone to move to token-based 2FA.
“We learned that SMS-based authentication is not nearly as secure as we would hope,” -he added.After bypassing 2FA, site’s systems remained inaccessible to the attacker, as hackers have only read-only access -
“they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”Unfortunately, the hacker(s) did manage to exfiltrate a few things. Among them, a batch of old user data spanning from the site’s launch in 2005 to May 2007. Although the passwords contained in the data were hashed and salted, the user data also included messages, both private and public, usernames, and associated email addresses.
Moreover, hackers also accessed logs containing the email digests sent to its users between June 3 and June 17, 2018 - meaning the email address those digests were delivered to and the connected usernames were also accessed. According to Slowe, all affected users will receive an email and will be prompted to change their passwords.
Currently, Reddit team have started investigation sufficiently to understand the impact. As the attacker had read access to their storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these above two areas are the most significant categories of user data, - Slowe says.
If you are users of Reddit and still didn't got any password reset notification on your mail inbox, then also we recommend changing your password immediately. Enable Two-Factor Authentication (2FA) using an authenticator app, rather than SMS. Users can enable 2FA from users Preference under Password/email Tab.