Chat forum Reddit has become the latest online giant to suffer a major breach of user data.
In an announcement posted on the site, Reddit says it has discovered that two data sets were illegally accessed using stolen login details from company employees.
According to The Guardian, the first data set included “account details and all public and private posts between 2005 to May 2007”.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
SUBSCRIBE & SAVE
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
The second contained “logs and databases linked to Reddit’s daily digest emails”, the newspaper says, as well as the email addresses and usernames of people who subscribed to the news briefings.
The hack was discovered on 19 June and occurred earlier that month.
Reddit says that the “attacker” was able to access other restricted areas of the forum, such as “employee workspace files” and “source code”, but that the two sets of personal information “are the most significant categories of user data”.
It is believed the breach was possible “because Reddit was using an outdated form of two-factor authentication on its employee accounts”, whereby users are sent an SMS message with a verification code to confirm their identity, says CNet.
The chat forum has not said how many users were affected by the hack.
According to the BBC, Reddit will “inform those affected by the loss of historic data” from 2007 but not those with data in the more recent information set from 2018.
Troy Hunt, an expert in data breaches, told the broadcaster: “This is personally identifiable data that’s been exposed in what is unequivocally a data breach, why on Earth wouldn’t you notify people?
“In the case where it’s mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually.”
Reddit says it has “reported the issue to law enforcement” and is “cooperating with their investigation”. The site also pledged to upgrade its login systems with encrypted two-factor authentication.
