Today Reddit announced a security incident that occurred in the middle of June. The incident was discovered on June 19th, 2018, and the full extent of the data shared and/or compromised was revealed this afternoon. The incident is particularly important right this minute because of the rise of understanding in the weaknesses in sms-verified authentication.
Reddit Encourages tokens
Reddit suggested today that it was through SMS intercept that passwords were captured with malicious intent. Much like Google’s very recent move toward physical authentication, Reddit announced the following: “[We] encourage everyone here to move to token-based 2FA.” To do this, Reddit almost certainly moved its employees to a system not unlike that of Google’s latest announcement. Have a peek at Titan Security Key to learn more about this bit of key-friendliness.
Attackers gained read-only access to systems with backup data, source code, and “other logs.” This included Email digests sent by Reddit in June 2018, which shows Reddit usernames with associated safe-for-work subreddits in a list. This leak also contained an old database backup that covered the years 2005, 2006, and 2007.
This database included usernames, salted and hashed passwords, email addresses, and all content. That’s content both public and private posted to Reddit. Reddit email digests sent in June of 2018, specifically, were also included in the incident.
What to do
If you suspect you were part of Reddit back in the day, or had a Reddit email digest sent to you in June of this year, consider the following. “If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password,” said Reddit administrator KeyserSosa. “Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.”
Basically you’ll want to change your Reddit password, as you should every once in a while anyway. You should also try to think back to the year 2007 and ask yourself: Is there any subreddit I subscribed to that I wouldn’t want people knowing about? If you think you probably made some comments back in the years 2005, 2006, 2007 that you weren’t proud of – public or private – you can delete them now, if you wish.
To delete old Reddit data, find the golden path over at RedditHelp. Is is there that you’ll find the instructions you seek for the deleting of content you wish to delete.