Reddit hack: attackers steal user data in major breach

Userwords, passwords and email addresses were illegally accessed

Side-stepping encryption could make web users vulnerable to hackers
(Image credit: Thomas Samson/AFP/Getty Images)

Chat forum Reddit has become the latest online giant to suffer a major breach of user data.

In an announcement posted on the site, Reddit says it has discovered that two data sets were illegally accessed using stolen login details from company employees.

According to The Guardian, the first data set included “account details and all public and private posts between 2005 to May 2007”.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.


Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

The second contained “logs and databases linked to Reddit’s daily digest emails”, the newspaper says, as well as the email addresses and usernames of people who subscribed to the news briefings.

The hack was discovered on 19 June and occurred earlier that month.

Reddit says that the “attacker” was able to access other restricted areas of the forum, such as “employee workspace files” and “source code”, but that the two sets of personal information “are the most significant categories of user data”.

It is believed the breach was possible “because Reddit was using an outdated form of two-factor authentication on its employee accounts”, whereby users are sent an SMS message with a verification code to confirm their identity, says CNet.

The chat forum has not said how many users were affected by the hack.

According to the BBC, Reddit will “inform those affected by the loss of historic data” from 2007 but not those with data in the more recent information set from 2018.

Troy Hunt, an expert in data breaches, told the broadcaster: “This is personally identifiable data that’s been exposed in what is unequivocally a data breach, why on Earth wouldn’t you notify people?

“In the case where it’s mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually.”

Reddit says it has “reported the issue to law enforcement” and is “cooperating with their investigation”. The site also pledged to upgrade its login systems with encrypted two-factor authentication.

Continue reading for free

We hope you're enjoying The Week's refreshingly open-minded journalism.

Subscribed to The Week? Register your account with the same email as your subscription.