A hacker broke into Reddit’s employee computer network in June, gaining access to some of its user data, the company announced Wednesday.
Reddit, the news aggregation and discussion website, said the hacker tapped into “current email addresses and a 2007 database backup containing old salted and hashed passwords” between June 14 and June 18, according to a blog post. The company learned about the attack on June 19.
{mosads}The company in part blamed a failed two-step authentication process, which is supposed to add an extra security layer when a user logs into an account by requiring the user to enter a passcode sent to their phones when they try to log on to their employee accounts.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” the post reads in part. “We point this out to encourage everyone here to move to token-based 2FA.”
Reddit noted that the hacker only gained “read-only” access instead of “write access” in their company systems, meaning the backup data and source code, as well as other logs, were not accessed.
“They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the company said.
The attacker, the company said, also gained access to early Reddit data from the site’s launch in 2005 to May 2007. In the early years, the company said it had fewer features and thus the “most significant data contained in this backup are account credentials, email addresses, and all content from way back then.”
Now that their investigation is wrapped up, the company says it is notifying the affected users, requiring passwords to be reset and working with law enforcement to continue to examine the attack.
The hackers may have also gained access to the email addresses linked to the Reddit users who subscribed to the company’s email digests — emails that contained suggested Reddit posts — between June 3 and June 17, 2018.
“As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data,” the company noted.
Details about the hacker’s identity is not addressed in the company’s blog post. It is unclear if they have identified the actor behind the attack.
Reddit’s announcement comes amid a heightened focus on data leaks, following several other high-profile cyber breaches this year that have affected millions of users spanning social media platforms like Facebook to user accounts at companies like Adidas.