Social media site Reddit has suffered a data breach, but has refused to disclose its scale. The site said it discovered in June that hackers compromised several employees' accounts to gain access to databases and logs. They were able to obtain usernames and corresponding email addresses - information that could make it possible to link activity on the site to real identities. The hackers were also able to access encrypted passwords from a separate database of credentials from 2007. Reddit said it would inform those affected by the loss of historic data, but would not be getting in touch with those impacted by the potentially much larger breach - a decision which has baffled prominent, independent security researchers. “This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?” said renowned security researcher Troy Hunt, a specialist in data breaches affecting consumers. "In the case where it's mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually."
Instead, Reddit suggested users concerned should search their own inboxes to see if they have received an “email digest” from the firm between 3 and 17 June this year - the period of time for which hackers were able to obtain detailed logs on user activity and identity. "If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address,”
wrote Christopher Slowe, Reddit’s chief technology officer. Prof Alan Woodward from the University of Surrey said Reddit should be doing more to protect its users. "Their concept of putting the onus on the user to consider if they have any data they wouldn’t want linked to an address is really not on,” said Prof Woodward.
"Users are not to blame.”