Reddit has disclosed that “a few” of its employees’ accounts at its cloud and source code hosting providers were recently compromised, and that the attackers gained access to a significant amount of user data.
Between 14 and 18 June 2018, the attackers gained access to all Reddit data from 2007 and before, including account credentials and email addresses.
They also obtained email digests sent from 3 to 17 June 2018.
The BBC reported that Reddit has received criticism for the way it is handling the incident, as it is not contacting users affected by the email breach.
Security researcher Troy Hunt told the publication that Reddit’s refusal to notify those users doesn’t make sense. He noted that particularly in the case of the email digest, it is potentially exposing the identities behind what is a “deliberately anonymous account.”
Reddit explained that the main attack was executed via an SMS intercept.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication, we learned that SMS-based authentication is not nearly as secure as we would hope,” said Reddit.
“We point this out to encourage everyone here to move to token-based 2FA.”