All Reddit data from 2007 and before including account credentials and email addresses

What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.

Email digests sent by Reddit in June 2018

What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves -- they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.

How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.



kleinbl00:

    Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.

No shit.

    Somehow, the masses have been led to believe that phone numbers are inextricably bound to identities and therefore make good authentication tools. There’s a reason that Kraken has never supported SMS-based authentication: The painful reality is that your telco operates at the security level of a third-rate coat check. Here’s an example interaction:

    Hacker: Can I have my jacket?

    Telco: Sure, can I have your ticket?

    Hacker: I lost it.

    Telco: Do you remember the number?

    Hacker: Nope, but it’s that one right there. 😉

    Telco: Ok cool. Here ya go. Please rate 10/10 on survey ^_^


posted by Hubbington: 105 days ago