"Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today", the company added.
"Reddit needs to raise the priority on implementing the model of least privilege and privileged access security controls as this breach demonstrates that the accounts compromised had read access to storage systems including source code, logs and configurations". This data is less critical, but it could prove troublesome for users who haven't changed their password in a while. The main attack was apparently via an SMS intercept, as Reddit was using two-factor authentication. The company learned about the attack on June 19.
Additionally, the attacker gained access to logs containing email digests sent by Reddit to users between June 3 and June 17, 2018.
Reddit said it was messaging user accounts "if there's a chance the credentials taken reflect the account's current password" and has urged users to check their Reddit inboxes as well as their emails to establish if they were affected by either breach.
First, we learn that the company has known about this breach for more than a month, during which time it said nothing - even now it hasn't put a figure on the number of Reddit users that are at risk.
The company is sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. On Wednesday Reddit began informing users who may be included in this dataset. The data includes usernames and email addresses linked to those accounts.
Hackers were also able to access a database relating to the site's newsletter. This leak also contained an old database backup that covered the years 2005, 2006, and 2007. If you did receive email digests during this period, check your inbox for emails from [email protected] between June 3 and June 17.
John Kelly says he accepted Trump's request to stay on through 2020
Kelly, who is said to have set a goal of lasting one year in the job, has been rumored to be on the way out of the White House . The officials spoke on condition of anonymity because they were not authorized to speak publicly about private conversations.
Reddit said the hacker never got "write access" to its servers.
Whatever the case may be, Reddit is using the security incident to encourage the public to switch over to non-SMS-based two-factor authentication.
If you signed up for Reddit after 2007, this doesn't affect you.
Most of the other data accessed is on the Reddit backend, so there isn't expected to be other compromised user data. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
"Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim's cellular provider and convinced them to transfer the phone number to a new SIM".