Reddit became aware of the attack on June 19 and says it has since mitigated the threat and rolled out improved systems and processes to prevent it from happening again.
Hackers also managed to get their hands on all public and private posts from between the site's launch in 2005 and May 2007.
Hackers reportedly bypassed the providers' two factor authentication (2FA) system using an SMS intercept, meaning the person (s) responsible re-routed the 2FA code to a different device in order to access the code.
Reddit said the hacker "compromised a few employees' accounts with our cloud and source code hosting providers" and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.
They were able to obtain usernames and corresponding email addresses - information that could make it possible to link activity on the site to real identities. While Reddit has two-factor authentication in place for its employees, it used SMS-based authentication, which is less secure than other methods. Reddit notes it suspects "weaknesses inherent to SMS-based 2FA to be the root cause of this incident". The key works without the need for any special software drivers, and the user never has access to the code - so they can't give it or otherwise leak it to an attacker.
"If you don't have an email address associated with your account or your "email digests" user preference was unchecked during that period, you're not affected", the company explained.More news: Apple becomes first-ever company valued at $1 trillion
Another user called ThereIsNoWayItsDNS fumed: 'How does a site of 12+ years with this amount of traffic wait so long to hire a head of security?
It will also be communicated to the affected users that their data has been accessed and what access has been made. The company said that since the intrusion it has bolstered its monitoring systems and has reported the breach to law enforcement, which is investigating.
For users whose account credentials were compromised, Reddit will force a password reset.
"We can not rely on single-factor authentication for our passwords to protect our digital lives". The core idea behind 2FA is that even if thieves manage to phish or steal your password, they still can not log in to your account unless they also hack or possess that second factor. The bad news? It involved a two-factor authentication scam.
"A cybercriminal only needs to get their hands on one password to potentially gain access to private and even financial information across a number of accounts and apps". It's not as hard as you might think. If you meet the criteria mentioned in the full breakdown, you should probably change your Reddit password - and you should probably look into two-factor authentication, either way. Security researchers in recent years have warned against using SMS-based 2FA systems.