Reddit's August 2018 security incident: What you need to know

Reddit for Android
Reddit for Android (Image credit: Android Central)

Reddit, one of the world's most popular websites, announced on August 1, 2018, that it experienced a security breach in which some user data was compromised.

The breach mostly affects Redditors that have been on the site since 2007 or earlier, but even if you made your account at a later date, you should still keep reading as there's a chance some info was still exposed.

What happened?

Between June 14 and June 18 of this year, Reddit says an attacker "compromised a few of our employees' accounts with our cloud and source code hosting providers." Although two-factor authentication was set in place, it was done so via SMS and the attacker in question was able to capture the codes using an SMS intercept attack.

The attacker was unable to get write-permissions to Reddit but did manage to obtain read-access to certain site systems.

While doing so, Reddit notes that the attacker obtained:

A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007.

With that database backup, usernames, salted + hashed passwords, email addresses, public content, and private messages were obtained (only if you had a Reddit account between 2005 and May 2007).

Additionally, the attacker also acquired:

Logs containing the email digests we sent between June 3 and June 17, 2018. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.

What you can do to protect yourself

None of that's great, but thankfully, Reddit's already working to make sure any potentially affected users are protected.

If your account was created between 2004 and May 2007, Reddit's currently sending out PMs/emails with further instructions on what to do. Furthermore, any accounts that were active during this time are being forced to reset its password.

Even if Reddit doesn't force you to reset your password, doing so anyways is a good idea just to make sure all of your bases are covered. If you're not yet using a password manager, now's the time to change that.

Furthermore, two-factor authentication is something that everyone should be using by now. And, if you have the option, always use this with a token-based system rather than over SMS.

Why you (and your family) should be using 2FA and a password manager

Joe Maring

Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.