Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup
Reddit said in a blog post Wednesday that a hacker broke into the company's systems in June and gained access to a variety of data, including user emails, source code, internal files, and “all Reddit data from 2007 and before.” And it likely could have been avoided if some Reddit employees were using two-factor authentication apps or physical keys instead of their phone numbers.
"On June 19, we learned that an attacker compromised a few of Reddit's accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes," a Reddit spokesperson said in a statement. (Advance Publications, which owns WIRED publisher Condé Nast, is Reddit's majority shareholder.) "We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future. A small number of users were affected and have been notified."
Among the compromised information was a 2007 Reddit database backup, which means if you were using the platform back then, your account information from that time—like your email address, username, and password—has been exposed. Reddit says the passwords were protected by cryptographic salting and hashing defenses, but if you still use that old password for your Reddit account, or any online account, you should change it to a strong, random password in case the Reddit trove can be cracked.