Security News Reddit Announces Security Breach After Hackers Bypassed Staff's 2FA

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/reddit-announces-security-breach-after-hackers-bypassed-staffs-2fa/

Reddit announced today a security breach. The social platform says a hacker breached the accounts of several employees after bypassing two-factor authentication (2FA) and stole information such as some email addresses, logs, and a 2007 database backup containing old salted and hashed password.

The hack took place between June 14 and June 18. Reddit said it discovered the breach the next day, on Reddit 19.

Reddit said the hacker never got "write access" to its servers.

"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems," the company said.

Hacker stole old passwords

But hacker did get "read access," which Reddit says they used to download a copy of an older Reddit site backup from May 2007.

Reddit said this backup contained data on its users who were active on the site from the site's launch in 2005 until May 2007, the date of the backup.
"The most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then," Reddit said.

Users who registered after May 2007 or messages and posts published after that date are deemed safe.

Hacker also stole more recent usernames and emails

Reddit also said the hacker downloaded some logs for Reddit's email digest feature, and more precisely, for the email digests sent on June 3 and June 17, 2018.
"The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to," Reddit said.
The social platform said that all users whose data the hacker had taken would be notified via a Reddit message. Users who still use their 2007 passwords will be prompted to change them.
Reddit also said the hacker accessed the company's source code, internal files, configs, and employee work files.

 

[ForgottenSeer 58943]

I just checked, I haven't updated my PW over there since 2006.

The password was: j$d@E6mrzQpXrAYA

I changed it to: })qwr7DGhHVjrT2*Zt@a%~L~Vw

I should be fine.

 

[itchy]

I just checked, I haven't updated my PW over there since 2006.

The password was: j$d@E6mrzQpXrAYA

I changed it to: })qwr7DGhHVjrT2*Zt@a%~L~Vw

I should be fine.

You have 2FA? Uh asking for a friend.

 

[CyberTech]

Thank you, gonna change the password :emoji_v:

 

[HarborFront]

I think they need 3FA

 

[509322]

Reddit is no good for anyone. It's a free-for-all cesspool with a ton of bad behaviors. The crypto subreddits are some of the worst. Stay off of it.

 

[SHvFl]

Reddit is no good for anyone. It's a free-for-all cesspool with a ton of bad behaviors. The crypto subreddits are some of the worst. Stay off of it.

Only suggest visiting the cats subreddit.

Want to see how soon they will get hacked again now that someone has the source code.

 

[upnorth]

Social media site Reddit has suffered a data breach, but has refused to disclose its scale. The site said it discovered in June that hackers compromised several employees' accounts to gain access to databases and logs. They were able to obtain usernames and corresponding email addresses - information that could make it possible to link activity on the site to real identities. The hackers were also able to access encrypted passwords from a separate database of credentials from 2007. Reddit said it would inform those affected by the loss of historic data, but would not be getting in touch with those impacted by the potentially much larger breach - a decision which has baffled prominent, independent security researchers. “This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?” said renowned security researcher Troy Hunt, a specialist in data breaches affecting consumers. "In the case where it's mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually."

Instead, Reddit suggested users concerned should search their own inboxes to see if they have received an “email digest” from the firm between 3 and 17 June this year - the period of time for which hackers were able to obtain detailed logs on user activity and identity. "If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address,” wrote Christopher Slowe, Reddit’s chief technology officer. Prof Alan Woodward from the University of Surrey said Reddit should be doing more to protect its users. "Their concept of putting the onus on the user to consider if they have any data they wouldn’t want linked to an address is really not on,” said Prof Woodward.

"Users are not to blame.”

Reddit's hack response causes concern

 

[Ink]

Read this last night, nothing to worry about. Wasn't a member.

Reddit is no good for anyone. It's a free-for-all cesspool with a ton of bad behaviors. The crypto subreddits are some of the worst. Stay off of it.

It's still better than "What's the best AV?" with no context about their system or online behaviour.