Reddit — Data Breach
Executive Summary
Reddit disclosed a data breach that occurred between June 14-18, 2018, discovered on June 19. Attackers intercepted SMS-based two- factor authentication codes to compromise employee accounts at Reddit's cloud and source code hosting providers. The breach exposed a complete copy of all Reddit data from 2005-2007 (usernames, hashed passwords, emails, all public and private messages) and email digest logs from June 3-17, 2018 linking usernames to email addresses.
What Happened
Reddit disclosed on August 1, 2018 that attackers compromised several employee accounts at its cloud and source code hosting providers between June 14-18, 2018, which was discovered on June 19. The attackers intercepted SMS-based two-factor authentication codes to gain read-only access to backup data and source code. The breach exposed a complete copy of Reddit data from 2005-2007, including usernames, salted and hashed passwords, email addresses, public posts and private messages, as well as email digest logs from June 3-17, 2018 that linked usernames to email addresses.
Who Is Affected
All Reddit users who registered accounts before May 2007 had their usernames, email addresses, and obfuscated passwords exposed, along with all their public posts and private messages from that period. Users who had signed up to receive daily email digests of specific discussion threads in early June 2018 also had their email addresses and associated usernames exposed. Reddit was a much smaller platform in 2007 compared to 2018, limiting the total number of affected users from that early period.
Why It Matters
This breach demonstrates that SMS-based two-factor authentication can be intercepted and is not sufficiently secure, even when protecting access to critical systems at a major technology company. The incident exposed private messages and communications that users sent up to eleven years before the breach, showing that historical data remains vulnerable. Reddit acknowledged SMS authentication provides a false sense of security and recommended users switch to token-based authentication apps instead.
What You Should Do
If you had a Reddit account before May 2007, change your Reddit password immediately and change passwords on any other accounts where you used the same or similar credentials. Switch from SMS-based two-factor authentication to app-based authentication using tools like Google Authenticator or Authy on all accounts that offer this option. Assume that any private messages you sent on Reddit before 2007 may have been exposed and take appropriate steps if those contained sensitive information.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources