Online forum Reddit has confirmed a data breach in which usernames and encrypted password data were compromised, but has not said how many of its millions of users have been affected.
The social media network, which has 234 million unique users, posted details of the hack, saying two sets of data had been accessed – one from 2007 and the other earlier this year.
Between June 3 and 17, a set of data which included logs and databases linked to daily email digests it sends out to users was accessed, it said.
The 2007 breach included account details, and all public and private posts between the site’s launch in 2005 and May 2007.
In a statement, the firm said: “Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs.”
Reddit is messaging user accounts “if there’s a chance the credentials taken reflect the account’s current password” and has advised people to check Reddit inboxes as well as emails to see if they were affected.
The company’s chief technology officer, Christopher Slowe, said: “If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password.
“Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”
Reddit’s response to the breaches has been met with some criticism within the security community.
Troy Hunt, a Microsoft regional director, said on Twitter that it sounded like Reddit was “relying on people to check if they’ve been receiving email digests and draw a conclusion from that”.
So is Reddit actually emailing people who had their addresses and usernames exposed? The way this reads, it doesn’t sound like it and they’re relying on people to check if they’ve been receiving email digests and draw a conclusion from that, right? https://t.co/s2pFDAD9NN
— Troy Hunt (@troyhunt) August 1, 2018
The hackers gained access to Reddit’s systems by intercepting a text message sent to staff as part of their secure authentication systems, called two-factor authentication.
When staff log in to a system they receive a text message allowing them to confirm their identity with a code sent in the message.
Cyber security experts have warned users to be vigilant of any phishing scams that could be attempted using stolen data.
Robert Capps, vice president at NuData Security, said: “Fortunately, this Reddit breach doesn’t include credit card information.
“However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked.
“From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities, as little as an email address can go a long way in the hands of a bad actor.”