Reddit, the website supporting discussion and content ratings, has confirmed it was subject to a data breach, affecting all data held in 2007 and before and email digests sent in June of this year.
“Although it was a serious attack,” said Reddit in a statement, “the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.”
Information involved consisted of:
- “A complete copy of an old database backup containing very early Reddit user data – from the site’s launch in 2005 through to May 2007. It said: “In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages).”
- Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves.
What to do
Regarding data affected and related to 2007 or before, the company said: “We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.”
Regarding the breach related to June, it said: “If you don’t have an email address associated with your account or your ‘email digests’, user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [firstname.lastname@example.org](mailto:email@example.com) between June 3-17, 2018..”
Some industry experts have criticised Reddit for not revealing the scale of the breach. Others puzzled as to why it was leaving users to find out for themselves if their data was affected where the breach related to June of this year.
Christopher Slowe, Reddit’s chief technology officer stated: “If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”
Jason Hart, CTO, Data Protection at Gemalto said: “Network intrusions like this are inevitable. The Reddit issue reinforces again that being breached is not a question of ‘if’ but ‘when’ and a multi-layered approach to security is needed. Even with multi-factor authentication deployed, the Reddit breach still occurred. Given today’s security climate, all online companies should use the forms of multi-factor authentication that are appropriate for the data assets being accessed as well as using encryption and key management to secure sensitive data.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.