Reddit suffered a data breach between June this year and have subsequently lost all Reddit data from 2007 and before, containing account credentials (username and hashed + salted password), email addresses and both public and private messages.

More recent data includes email digests sent during the period of June 2018 and subsequently contains the username and email address this was sent to.

So far, Reddit has not revealed the number of users compromised during the attack but have chosen to post details of how this happened.

The attack unfolded by compromising Reddit employee accounts protected by SMS-based two-factor authentication (2FA).

The attacker was able to intercept the text-message based 2FA method and gain access to read-only privileged accounts used to retrieve the data mentioned above.

As a result of this attack, Reddit have taken a stance to inform all of their users to protect their accounts with token-based authentication rather than text messages.

They have also posted information on how to identify if your account may have been affected by this data breach and the precautions to take against this.

There are two key points to take from this; the first of which is that SMS-based 2FA is significantly weaker than a token-based 2FA; the second point being the stance Reddit have taken on this. While they have not disclosed numbers, they have worked with their users to provide transparency of how this happened, who was affected, and how to protect yourself in future.

To complement the advice Reddit gave, we also strongly recommend moving to token-based 2FA. Google Authenticator is an excellent example of how this can be executed, we strongly advise moving over to this 2FA option on any applications or services which offer it!