Reddit announced today a security breach. The social platform says a hacker(s) breached the accounts of several employees after bypassing two-factor authentication (2FA) and stole information such as some email addresses, logs, and a 2007 database backup containing old salted and hashed password.
The hack took place between June 14 and June 18. Reddit said it discovered the breach the next day, on June 19.
The hacker obtained “read access,” which Reddit says he used to download a copy of an older Reddit site backup from May 2007. Reddit said this backup contained data on its users who were active on the site from the site’s launch in 2005 until May 2007, the date of the backup.
Reddit also said the hacker downloaded some logs for Reddit’s email digest feature, and more precisely, for the email digests sent on June 3 and June 17, 2018.
Reddit pinned the incident on the hacker’s ability to bypass 2FA. Reddit said the hacker performed an SMS intercept attack for the phone numbers of some of its employees and intercepted the 2FA codes necessary to access the employees’ accounts.
Reddit said it migrated employees from SMS-based 2FA to token-based 2FA and urged other companies and users to do the same.