Reddit Reports "Serious" Data Breach
Read about Reddit's security announcement and see if you were impacted.
Incident snapshot
Breach Date
June 2018
Announcement Date
August 1, 2018
Impacted Users
Unknown
Root Cause
Two-Factor Authentication Breach (SMS)
2018 Reddit hack compromises the information of long-time users
On August 1, 2018, Reddit announced via their blog that a hacker comprised several employee accounts with cloud and source code providers. The attack took place over the course of four days between the 14th and 18th of June 2018.
Reddit describes the hack attack as “serious,” although the attacker reportedly only had read-only access and did not gain write access to the Reddit systems (it's still a cyber crime. This means the hacker was able to read the data in systems containing backup data, source code, and other logs. This is good news for Reddit, but not for their users whose data has been compromised.
What Reddit information was compromised
The hacker breached data from 2007 including account credentials and user emails. Luckily for early users, in its early years, Reddit had fewer features, so the breached data was mainly comprised of emails, passwords, usernames, and both public and private messages. The attacker made a complete copy of an old database containing personal information of old Reddit users from 2005 to 2007.
Newer Reddit users are not in the clear either. Logs containing “Reddit email digests” from June 3-17, 2018 were also breached. The Reddit email digests connect usernames to their respective email address and contain suggested subreddits. Redditors who had their email digests unchecked during the breach are unaffected.
If you’re unsure if your account has been compromised, check your inbox for an email from noreply@redditmail.com between June 3-17, 2018.
Reddit is working hard to fix their mistake
Soon after discovering the security incident, Reddit reported it to law enforcement, and they are currently cooperating with the investigation. Reddit recommends users to reset their passwords and were quick to send out password reset emails.
If your email address was compromised and you don’t want anything from your Reddit account to be traced back to that address, Reddit has set up a help page. Visit the Reddit help page to find instructions on how to remove information from your account.
Find out if you were impacted
To find out if your account was impacted, please visit haveibeenpwned.com and enter your email address. This tool will let you know if your email has been associated with any security breach, not just the one that happened with Reddit.
My account was impacted! What do I do?
If your account was impacted, please follow the steps provided.
Step 1: Change your Reddit password
Log into Reddit and update your password (if you have not already done that with their user emails)
When choosing a new password, make sure to follow these best practices:
- Never reuse passwords
- Use a strong password
- Consider using a password generator
Step 2: Set up security questions and two-factor authentication
While you're changing your Reddit password, we strongly recommend that you set up really strong and personal security questions as well as two-factor authentication (even though Reddit's TFA was compromised).
- Security questions: Security questions are used to verify your account if unusual activity is detected. Make sure to store these in a safe place.
- Two-Factor Authentication: Two step verification adds an additional layer of security to your account by prompting you to enter a code sent to your mobile device (through SMS or an authenticator application).
Once you have completed these steps, there are some other important things to do in order to stay secure.
Step 3: Change the passwords of any accounts that used that previous password
Any account that reused that password is also at risk. At the very least, make sure to change reused passwords for the following important account types:
- Online banking
- Social media sites like Facebook and Twitter
- Anything that involves payment data or social security numbers (PayPal, government sites)
Step 4: Change your Ultius account password
If you have an Ultius account, please follow the steps provided in our account security Knowledge Base article to change your password.
Now that you have secured your accounts and set up some additional security, keep reading to consider some other security considerations.
Other things you can do to protect your security
Yes, now is a great time to brush up on your security best practices. After all, we have previously written about online privacy and are familiar with the body of knowledge. Consider the options below:
- Get a password manager. We recommend using Dashlane. We use it internally at Ultius and there is a free version available for consumers (like you)
- Consider updating all of your passwords regularly, especially the ones that you have reused. Once every six months is a sufficient frequency
- Consider changing your email account to one that has a stronger track record of security, such as Gmail by Google or Outlook by Microsoft
- Consider setting up two-factor authentication on all of your important accounts (like online banking). This is an added layer of security that will help prevent unauthorized users from accessing your account without authentication from your phone
- When logging into your email, make sure that your connection is encrypted. Look for HTTPS in the URL box of your browser. It should be in green and look like this
- Never click strange links while reading emails. If you see a suspicious link, use scanURL to see if it's malicious
Lastly, don't forget to share this guide with your friends, family, and co-workers so that they can stay safe too. Ultius publishes updates to security incidents because customers who use our platform to connect with writers for trusted essay writing services (for sample use) like to be notified about information that my impact their account.
