Reddit, one of the world’s largest websites, has been hit by a data breach with the attackers accessing usernames, passwords and email addresses of users.
The size of the breach is not yet known but Reddit said two data sets had been accessed by hackers:
- One breach dates from 2007 and contained account details and all public and private posts between 2005 and May 2007.
- The other breach is linked to Reddit’s daily digest emails. This consists of user names and emailed addresses linked to the digest mails that were sent out between the 3rd and 17th of June this year.
The breach happened on 15th
June but was only discovered four days later.
Breaching two-factor authentication
In a clearly very well thought out attack the hackers broke in using compromised employee accounts that were protected with SMS two-factor authentication, which employees used to access Reddit’s systems.
Apparently hackers intercepted the text messages that contained the one-time passcode.
This is possible by calling the mobile provider and supplying relevant identifying information. The hacker then transfers a new phone number to the targeted device and intercepts the SMS passcode.
It’s likely that the original phone numbers were obtained from the dark web. All the hackers would need to do is find out the names of the relevant Reddit employees.
For instance millions of phone numbers, names and addresses are circulating the dark web following last year’s breach at Experian in which 143 million US consumers records were lifted in the mother of all hacks. Using this information it would be relatively easy hackers to identify and target Reddit employees.
- In the case of the historical data breach Reddit said it would inform those affected.
- In the case of the breach linked to Reddit’s email digest the company said users need to check their inboxes to see whether they received Reddit mails between the 3rd and 17th of June this year.
Given that an average of 1.5 billion people access Reddit each month this could potentially be a huge pool of people.
As always in these cases those who believe they may have been affected need to change their email passwords. New passwords should be at least 10 characters long and consist of upper and lower case letters, numbers and symbols.
More to come
Reddit has been criticised for asking users to check their mail inboxes. Industry figures say this is placing responsibility on victims rather than Reddit coming forward, identifying those at risk and informing them.
We could speculate endlessly why the company has taken this step but don’t be surprised if it is revealed that millions of people have been affected.
On a more general note if you are concerned about identity theft, and it doesn’t need to relate to the Reddit breach, consider BullGuard Premium Protection, which provides 24/7 protection for all your sensitive ID information including email addresses and passwords.