Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says (reddit.com)

Posted by msmash on from the security-woes dept.

A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords, Reddit said Wednesday. From the announcement: Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again. Reddit says the incident occurred between June 14 and June 18 when the hacker "compromised a few of our employees' accounts with our cloud and source code hosting providers." Interestingly, even as Reddit employees maintain 2FA on their accounts, the attacker managed to get access to their data. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company said. The company says it has a reason to believe the attacker had access to the following data: All Reddit data from 2007 and before including account credentials and email addresses. What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007. In Reddit's first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then. How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you're clear here.

44 comments

  1. HANNITY2024!!! by Anonymous Coward · · Score: -1, Troll

    Keep America Great Again!

  2. â(TM) by Anonymous Coward · · Score: -1

    get ur shit together

  3. That's nothing... by Anonymous Coward · · Score: -1

    Some marketing company bought slashdot and sold low uid accounts to shills so they could attempt to influence the community

  4. Sorry, Spez hacked accounts before this by Anonymous Coward · · Score: -1

    Editing posts and I wouldn't put it past him to try to frame people.. The people who run that are leftist pieces of shit (and no, don't Trump me, the orange troll-doll just an egotistical piece of shit).

    1. Re: Sorry, Spez hacked accounts before this by Anonymous Coward · · Score: 0

      Are you talking about this incident that /. reported on earlier?

      If comments can be changed so easily within their system, how can we as users be sure that this latest announcement is legitimate?

      Has this disaster been confirmed through any other Reddit-management-controlled medium or media that are less likely to have also been compromised?

    2. Re: Sorry, Spez hacked accounts before this by Anonymous Coward · · Score: 0

      Jesus Christ, you fucking morons, these are social media sites run by private people/companies as they please. They can edit whatever they like whenever they like in which way they like, ban people, delete posts, etc., and they wish. Run you own forum or get a fucking life, you fucking idiots!

    3. Re: Sorry, Spez hacked accounts before this by Anonymous Coward · · Score: 0

      State the obvious. Random anon coward flips out. ??

    4. Re: Sorry, Spez hacked accounts before this by Anonymous Coward · · Score: 0

      "I used to hold opinion X but then someone called me a 'fucking moron' told me to 'get a life'. That's when everything changed for me"

      I'm AC, and this is my story.

    5. Re: Sorry, Spez hacked accounts before this by Dogtanian · · Score: 1

      Jesus Christ, you fucking morons, these are social media sites run by private people/companies as they please.

      And others are free to criticise them as they please. Whether or not they want to run their own social media website.

      They can edit whatever they like

      I wouldn't be as confident as you are if it came to court. Even if there's some BS covering this in the small print of the terms and conditions, putting words in someone's mouth without it being obvious this has been done sounds legally dubious to me.

      ban people, delete posts, etc., and they wish.

      Yes, they can. And others are free to criticise them for this. Whether or not they want to run their own social media website.

      Run you own forum or get a fucking life, you fucking idiots!

      This whole post is virtually the same logic hauled out by fanboys of big companies when they're criticised. No, the fact that someone isn't pointing a gun at my head forcing me to buy (e.g.) the latest iPhone doesn't negate my right to criticise it. Or require me to design and build my own iPhone.

      Logically, this would preclude criticism of the vast majority of things and remove the critical/review information that a truly free market depends upon.

      'Course, the irony with such fuckwits is that they act like they're defending free markets, when in fact they're attacking a core part of their functioning.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
  5. Actual impact is what? by Anonymous Coward · · Score: 0

    Let us be generous and assume reddit users follow accepted advice and use unique passwords on all sites. What then was actually leaked here other than making public some users who wished to remain anonymous but somehow not enough to use a unique email address as well?

    Most of these email/password leaks are non events when using unique passwords yet it is a big story each time.

    1. Re: Actual impact is what? by Anonymous Coward · · Score: -1

      Given today's political climate, don't underestimate the harm that could come to somebody who gets linked to comments that were made a decade ago, but that bother some extremists today. Take, for example, somebody who made a comment on Reddit in 2007 saying something along the lines of 'I disagree with the idea of intentionally aborting human fetuses.'. Now suppose that that individual now lives and works in an area with many left-wing extremists, such as San Francisco. If a link is made between the comment and the person who made it, the commenter could very well face a variety of attacks, ranging from verbal attacks, to reputational attacks, and even perhaps to physical attacks. If you don't believe that such a scenario could happen, just look at the case of Brendan Eich and how he was ruthlessly attacked merely for supporting the idea that marriage should be between a man and a woman. When dealing with the sort of left-wing extremists that society is facing today, it should be clear that these left-wingers are capable of very harmful attacks against innocent people.

    2. Re: Actual impact is what? by xxxJonBoyxxx · · Score: 1

      I can't quite tell if you're trolling so I'll bite. Yes a non-trivial number of those Reddit users will have their password hashes rainbow tabled, and then their email/password combos will be used to access their accounts on other sites. Even 11 years later. In fact, my place of employment will probably be adding the Reddit list to the list of credential combos we run against our own systems to make sure bad guys can't try the same trick here. (We tend to mysteriously force a silent password change on affected users.)

    3. Re: Actual impact is what? by Anonymous Coward · · Score: 0

      I feel like you ignored the part where we were assuming they good users have unique passwords.

    4. Re: Actual impact is what? by Anonymous Coward · · Score: 1

      Rainbow tabled??? If the hashes were salted, and it says in the summary they were, then rainbow tables would be unlikely. Rainbow tables would have to be generated for each salt, and presuming the salts weren't incredibly stupid the number of hashes per salt wouldn't be common enough to make rainbow tables worthwhile.

      However, they could and presumably would generate hashes using a brute force approach.

    5. Re: Actual impact is what? by sg_oneill · · Score: 1

      11 years ago MD5 was still the go-to encryption of choice. Generating a rainbow table for that is possible in an hour or so with a cluster of rented Amazon GPU servers, at a pretty low price, especially if stolen credit cards are involved. This isn't the problem it used to be.

      Now if its properly salted with a salt for each password, sure, its a bit harder, but for a lot of folks salt just means add the word "SECRET" to the start of the password.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    6. Re: Actual impact is what? by hoggoth · · Score: 1

      You have no idea what 'salted' passwords means, do you? It doesn't add the word 'SECRET' to every password or any other secret word. It adds a *different* random string to every password. This means rainbow tables are useless because the entire rainbow table would be specific to ONE user's password. It would be completely pointless to generate a rainbow table for ONE user instead of just a brute-force attack on that user, with or without a 'cluster of rented Amazon GPU servers'.

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    7. Re: Actual impact is what? by xxxJonBoyxxx · · Score: 1

      >> Rainbow tabled??? If the hashes were salted,

      Depends again on how they salted. If they used one salt for all passwords (as I've seen before) and it was captured too, then game over. However, if each entry had its own salt then yep, you're correct. (And thanks for reading the TFA - I always seem to lose interest before I get there.)

  6. Gotta wonder how loose their definitions are by Anonymous Coward · · Score: 0

    "few" == "most of"

    "some" == "all"

    Technically, they wouldn't be lying...

  7. It was a walk-off ... by CaptainDork · · Score: 2

    ... steal of a backup tape or EHD by a former Reddit employee.

    --
    It little behooves the best of us to comment on the rest of us.
  8. 2FA SMS by Anonymous Coward · · Score: 0

    Something you have and now also the hacker has, lol.

  9. Does /. have a Head of Security? by Anonymous Coward · · Score: 0

    One of the comments to the Reddit announcement says that Reddit got their first Head of Security less than 3 months ago!

    Does /. have a dedicated Head of Security?

    If not, why not? Is it a matter of cost?

  10. AC Accounts FTW by Anonymous Coward · · Score: 1

    This is why I don't have a Reddit, or a Slashdot, account. Can't steal information that doesn't exist.

    1. Re: AC Accounts FTW by Anonymous Coward · · Score: 0

      This.

  11. What doesnâ(TM)t get hacked? by Anonymous Coward · · Score: 0

    So what site doesnâ(TM)t get hacked or at least attempted to be hacked.

  12. SMS 2FA by ChoGGi · · Score: 1

    Just more proof SMS 2FA is really just 1FA

  13. Nooo by Anonymous Coward · · Score: 0

    It had to be a hacker! How else is msmash going to be k-rad kewl?!?

    1. Re:Nooo by Anonymous Coward · · Score: 0

      It had to be a hacker! How else is msmash going to be k-rad kewl?!?

      M'Smash knows that fedoras, neckbeards, trenchcoats, and samurai swords will always be teh uber-leet.

  14. WTF by Wolfrider · · Score: 1

    A) Why are they even keeping backups that old, and B) not to mention, NOT ENCRYPTED?? Basic Security fail...

    --
    .
    == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    1. Re:WTF by Anonymous Coward · · Score: 0

      "A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007"

      Yeah, why the hell did they even have that?

    2. Re:WTF by Ksevio · · Score: 1

      Just in case all the other backups failed, they could revert back to that one!

    3. Re: WTF by Anonymous Coward · · Score: 0

      Jesus Christ... I know that most of the good people left /. a decade ago, but doesn't anyone else here have experience working in IT, operations, or some other real-world computing industry field?! Keeping backups and other data indefinitely is routine, if not mandated by company policies. It's critical to have trusted and verifiable backups in the case of a security incident like this, so that any allegedly-leaked data can be confirmed as valid, as well as to see if it has been tampered with in some way. Comments like yours and the earlier one just reinforce the rumor that only inexperienced neckbeards and Ruby on Rails amateurs post here!

    4. Re:WTF by Hadlock · · Score: 1

      It's really easy during early startup years to open two or more cloud accounts and then just keep paying the bills because it's cheaper to host the data than pay someone to dig through it and make sure it's ok to delete and won't bring your business crashing down in six months.
       
      One startup I worked at, because of the city we were located in, got $10,000 account credits from digital ocean, linode and a bunch of others, which at $10/mo for data storage is basically forever. And the guy setting those up, especially in the early years, is likely to have not come up with password standards yet.
       
      It's easy to work at an established company with mature IT practices, but starting one from scratch, especially in a high growth environment, and do it safely and securely, is fucking hard, man.

      --
      moox. for a new generation.
    5. Re: WTF by Anonymous Coward · · Score: 0

      Sure you keep backups...offline. Leaving them laying around on your production servers is a pretty poor practice and I highly doubt was done intentionally.

  15. Would using Rust have helped? by Anonymous Coward · · Score: -1

    Would using the new Rust programming language, which has been designed from the ground up with security and safety in mind, have prevented this incident? By that I mean if Reddit and the phone SMS software and so forth was written in Rust.

    1. Re:Would using Rust have helped? by Anonymous Coward · · Score: 0

      No, Rust would not have helped secure against this attack. I think Cobol would be a better choice for critical business security.

    2. Re:Would using Rust have helped? by hoggoth · · Score: 1

      Programming language security had nothing to do with this hack. Someone called the phone company and pretended to be a clueless customer who was trying to port his phone to a new provider. Lazy phone company rep decided that even though the "clueless customer" didn't pass any of the security questions he would go ahead and port the phone away anyway 'to be helpful'. Now the hacker can receive all SMS messages that were supposed to go to the phone. He logs into Reddit's backend as the user and it sends a 2FactorAuthentication code to the user's phone. Which the hacker is now receiving.

      Sending codes as an SMS to a phone is terrible security and everyone has known this for years. Bitcoin exchanges have been very publicly hacked this way enough that no exchange would even consider using SMS for security. I'm surprised Reddit, which has a very technical community, allowed this.

      BTW my bank still ONLY offers SMS security :-(

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
  16. Not to worry by SuperKendall · · Score: 1

    Hacker was found in basement having turned to a pillar of salt by looking at Raw Reddit.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  17. SMS Weaknesses by secwatcher · · Score: 1

    They were using SMS 2FA? Really?? That said it sounds like the number impacted was small, so at least Reddit learned from this (relatively) smaller incident instead of something bigger happening.

  18. Was it Russian? British? American? Martian? by Anonymous Coward · · Score: -1

    Quick..was it a Russian? KGB? American? NSA? British? Indian? China? Martian? It seems to be so important to know the nationality because, well, it helps get clicks and stoke the paranoia files.

    It was a hacker....which means it could be some 15 year old kid in a basement in Greece....

    But we gotta have the hysteria!!!!!!!

  19. Reddit's admins are furious by Anonymous Coward · · Score: 0

    How is Spez supposed to access the hacked data for editing posts they disagree with?

  20. GDPR by Anonymous Coward · · Score: 0

    Isn't such old data left around a violation of GDPR? I have right to see my data and ask it to be removed.

  21. What is the worst that can happen? by mea2214 · · Score: 1

    Reddit supports anonymous users. If I get compromised on one of my accounts the worst that can happen is someone posts praising Obama in r/the_donald making me lose 10,000+ karma points. Not terribly important IMHO.

    1. Re: What is the worst that can happen? by Anonymous Coward · · Score: 0

      It doesn't support anonymous users if you have to log in with an account to comment there. The use of accounts means that identity of some form is present.

  22. SPEZ by Anonymous Coward · · Score: 0

    Just edit the hack so the hacker only gets some ice chili recipes