Cyber Incident Victim: Reddit
Date:
Jun 2018
Location:
United States of America
Summary
A hacker compromised several employee accounts via SMS-based two-factor authentication interception, gaining read-only access to systems containing backup data, source code, and logs. The breach exposed an early database backup with usernames, salted hashed passwords, email addresses, and user-generated content from the platform's initial years, alongside recent email digests sent to users. While the attacker could not modify systems, the incident prompted enhanced security measures including migration to token-based authentication, rotation of credentials, improved logging, and law enforcement engagement. Affected users received notifications and mandatory password resets if current credentials matched the compromised historical data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 19, 2018, Reddit discovered that between June 14 and June 18, an attacker had compromised several employee accounts at its cloud and source code hosting providers. The breach occurred primarily through SMS interception, circumventing SMS-based two-factor authentication (2FA) protections that Reddit had implemented for critical infrastructure access points. The attacker obtained read-only access to systems containing backup data, source code, internal logs, and other non-public information. No write access to Reddit’s production systems was achieved, meaning the attacker could not alter live platform data or user content. Forensic analysis revealed the attacker accessed two primary categories of user data: a complete 2007-era database backup and email digest logs from early June 2018. The 2007 backup contained information from Reddit’s launch in 2005 through May 2007, including usernames, salted and hashed passwords, email addresses, public posts, and private messages. The compromised email digests consisted of logs covering messages sent between June 3 and June 17, 2018, which included recipient email addresses and digest content.
Reddit initiated an investigation with its service providers upon detection and notified law enforcement agencies, cooperating with their inquiries. The company identified affected users through historical account records and began notifying them via private messages and emails starting August 1, 2018. Password resets were enforced for accounts where credentials from the 2007 backup might still have been valid. Reddit rotated all production API keys and secrets, enhanced system monitoring capabilities, and implemented additional encryption measures. The incident prompted Reddit to eliminate SMS-based 2FA for critical systems, mandating token-based authenticator apps instead. Users with email addresses exposed in either the 2007 backup or the 2018 digest logs were advised to review their account associations, though no evidence suggested broader misuse of the accessed data beyond the initial compromise.