Recently, attackers hacked Reddit, the web’s most popular social news sharing site. According to the Reddit security team, the hack happened on June 19. An attacker was able to compromise a handful of employee accounts within their cloud system and source code hosting providers.
How Attackers Hacked Reddit
In the past few years, “two-factor authentication” has been implemented to help secure online accounts. Two-factor authentication is an extra layer of security that forces users to verify their identity by receiving a text, e-mail, or a separate app.
However, attackers were able to intercept the two-factor authentication from Reddit employees’ phones, granting access to their accounts. This enabled the attackers to gain read-only access to backup data, source code, and other logs.
Some of these logs included all Reddit data prior to 2007, including user e-mails, private messages, and internal files.
How Reddit Is Handling The Attack
In this particular Reddit hack, attackers, by gaining read-only access to systems that contained backup data, source code, and other logs, were unable to alter any information. The Reddit security team has since “taken steps to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” as stated in their announcement.
Key Areas Of User Data That Was Accessed
- All Reddit data from 2007 and before including account credentials and email addresses
- What was accessed: “A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.”
- How to tell if your information was included: “We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.”
- Email digests sent by Reddit in June 2018
- What was accessed: “Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.”
- How to tell if your information was included: “If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from email@example.com between June 3-17, 2018.”
The Reddit team has reported the issue to law enforcement, who are fully cooperating with their investigation. Additionally, Reddit is also messaging user accounts that could potentially be compromised.
This includes enhanced logging, more encryption, and token-based two-factor authentication instead of SMS-based two-factor authentication.
What Users Can Do About The Reddit Hack
First, users are recommended to check whether or not their data has been accessed according to the above instructions. Users are then recommended to change their passwords on Reddit as well as other accounts that may have the same password.
Following these steps will ensure that a further data breach or Reddit hack will not affect your accounts.
Protecting Your Data With A VPN FlashRouter
Furthermore, using a Virtual Private Network, or VPN, is recommended to protect your online anonymity. A VPN allows for users to encrypt and route their online data to secure and remote servers around the world.
With a VPN connection, the Reddit servers are unable to see your IP address or connection. Reddit would only be able to see your VPN’s connection.
A FlashRouters allows your entire home network to benefit from these VPN services, protecting any device you connect to it. For example, accessing Reddit via mobile phone, tablet, or desktop will be protected through your VPN connection.
The FlashRouters VPN Privacy App
Each FlashRouter also comes included with the VPN Privacy App. This is a free app that runs directly through your Internet browser to simplify the VPN router experience.