Hackers breach Reddit systems, steal super old personal information

Your email address and your password from 2007 were stolen.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Hackers compromised systems and stole a cache of user data from Reddit , but the information would only jeopardize your account if you haven't changed your password in 11 years. 

The stolen information included current email addresses, the popular news-sharing site said on Wednesday. But the passwords they nabbed were old -- from 2007.

That means now is the time to act if you haven't changed your Reddit password in more than a decade. And if you were using that password somewhere else, it might be a good idea to change your credentials there, as well.

The hack took place in mid-June and the company discovered the breach on June 19. "Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again," Christopher Slowe, Reddit chief technology officer and founding engineer, in a post -- where else? -- on Reddit

Slowe, whose username on Reddit is u/KeyserSosa, said the breach was possible because Reddit was using an outdated form of two-factor authentication on its employee accounts. When logging in to their accounts, Reddit workers received an SMS message with a one-time code to enter after their password. This SMS-based version is no longer considered safe because it's considered too easy for attackers to intercept the texts.

Watch this: How to turn on Reddit's new dark mode

That's what appears to have happened at Reddit. 

"We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Slowe said. Reddit is changing its employee login system to prevent a similar attack in the future, Slowe said. The stolen passwords were hashed, which means they were put through an encryption process that's scrambles them up into a long string of random characters that's supposed to be difficult to reverse. However, hashing techniques have improved since 2007 and many of the techniques used then are relatively easy to break now. So the security of the pilfered passwords depends on which hashing tool Reddit used.

In 2016, the US National Institute of Standards and Technology said it would no longer recommend SMS-based authentication, and in 2017 released official guidance describing the risks organizations take when using the approach to secure their systems. 

Reddit didn't immediately respond to a question about which hashing tool it used on the cache of 2007 passwords. In response to a question about whether Reddit knew SMS-based authentication was risky, a spokeswoman directed CNET to remarks from Slowe in the comment thread below his post about the breach.

There, Slowe said, the company couldn't always avoid using SMS-based authentication due to the third-party software it was using. 

"We've since resolved this," Slowe said. "We point this out to encourage everyone here to move to token-based" two-factor authentication," he added.

Tokens are physical keys that can authenticate you either through your USB drive or with a near-field communication connection that doesn't require you to plug the token in. Yubico sells a popular version of a token and Google just announced its own version called a Titan Security Key.

Slowe said the company will reach out individually to its users who were affected by the breach. If your password was in the breach and might be your current password, the company will force you to reset it.

"Whether or not Reddit prompts you to change your password," Slowe said, "think about whether you still use the password you used on Reddit 11 years ago on any other sites today."

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.