Reddit has suffered a "serious" data breach but seems unwilling or unable to put a figure on its size. "If your account credentials were affected and there's a chance the credentials relate to the password you're now using on Reddit, we'll make you reset your Reddit account password", said Reddit administrator KeyserSosa.
The website learned of the hack on June 19 and says that an attacker was able to compromise the accounts of a few Reddit employees along with Reddit's cloud and source code hosting providers.
The forum said the employee accounts had been accessed when hackers were able to breach the two-factor authentication used to confirm log-in.
The user information that was accessed affects only users who created accounts between the site's launch in 2005 and May 2007. It's also all urging all users to enable token-based two-factor authentication.
According to Reddit's analysis of the breach thus far, the hacker only accessed backup data, source code, and other logs. Regardless, Reddit is working with law enforcement in attempting to track down the hacker, and is taking steps to make its internal access more secure.
At last count, Reddit had at least as many average monthly users as the likes of Twitter, clocking in at over 330 million, was the fifth most visited site in the United States, and had the highest user time-spend per day of any site in Australia.
There are two parts to this story - who is affected and the weakness the company says led to the breach itself.
Reddit said it was contacting affected users and would be resetting their passwords.
Bryson Dechambeau issues Richard McEvoy apology
In those 17 years, McEvoy had won just two Challenge Tour titles until two weeks ago, one coming in 2017 and the other in 2005. It was a rollercoaster ride big time today, but I fought hard, I believed and even at the last I [gave] myself the best...
If your account was created between 2004 and May 2007, Reddit's now sending out PMs/emails with further instructions on what to do.
"From phishing scams and dictionary attacks - where fraudsters try certain common passwords based on the user's information - to synthetic identities, as little as an email address can go a long way in the hands of a bad actor".
One Reddit user noted that it's possible the hacker could piece together a Redditor's username from looking at their email address, too.
"We learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept", Reddit founding engineer Christopher Slowe said. Reddit email digests sent in June of 2018, specifically, were also included in the incident. The platform noted that SMS-based two-factor authentication was clearly not as effective as using an authenticator app.
However, Reddit said hackers had intercepted those text messages.
Most of the other data accessed is on the Reddit backend, so there isn't expected to be other compromised user data.
Even if Reddit doesn't notify you and you have been using the same password since 2007, it is probably better to reset it anyway, since by now it may have made its way to a number of dumped databases.