Hacker got access to 2007 Reddit database and recent emails with usernames

Reddit reports that someone gained access to an 11-year-old database backup of usernames, salted & hashed passwords, email addresses, and posts and pms. In addition, more recent email addresses in combination with usernames have also been leaked.

The announcement is at the top of the front page of the popular online community at the time of writing. Users in the old backup whose password may still be the same will receive a message and an automatic password reset. The strength of the encryption on those passwords is not reported.

In addition to the older backup, the attacker also had access to email digest logs dated June 3 to June 17 of this year. Those logs contain not only the emailed sfw postal statements themselves, but also the email addresses they were sent to and the associated username. Users who have not entered an email address in their Reddit profile, or who have not subscribed to the digests from June 3 to 17, are therefore excluded from this.

Reddit stresses that users whose digests have been leaked should verify whether they have made posts where they would prefer to remain anonymous as authors. The site has a help page with instructions on how to delete this public data, if desired.

The attacker obtained the user data when he accessed the accounts of several Reddit employees at the site’s cloud and source code hosts. They were secured with two-factor authentication, but the attacker presumably intercepted the verification SMS. He or she has only been given read-only access. The hack took place sometime between June 14 and 18 and came to light internally on June 19. Reddit says it has reported the attack to authorities.