Reddit – the popular forum owned by the Condé Nast (Advanced Publications) media empire – was recently in the news for a data breach that exposed private user information.
While it’s difficult to determine exactly how many people are affected – mainly because Reddit is not revealing much information – they did publicly acknowledge a “serious” data breach that gives third parties direct access to sensitive user data:
All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashedpasswords), email addresses, and all content (mostly public, but also private messages) from way back then.
Email digests sent by Reddit in June 2018
What was accessed:Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
If reddit discovered this hack all the way back in June, why did they wait until August to alert their users?
This situation also illustrates the vulnerabilities of two-factor authentication, as they revealed in their announcement:
Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
While 2FA isn’t a bad idea in many situations, it’s certainly no security silver bullet – as we’ve known for years. The admins at reddit should have known this – perhaps now they got the memo.
The second data breach mentioned, involving the email digests, is particularly concerning because it gives the hackers the account and user’s email address, thereby allowing them to link reddit users with real identities.
So the real question is how did this happen…
Perhaps someone inside reddit was paid to give access to the “hackers” – who knows. User data is very valuable, so that should not be ruled out.
Reddit privacy tips
Here are a few privacy tips, which could be applied to other platforms aside from reddit:
- Don’t use your real name on reddit or other social media.
- Don’t use your real email. On reddit, you can register with a completely fictitious email address – no email verification required. But if you still want to get email notifications, you can set up a free secure email account (such as with Tutanota or Mailfence) and use it as necessary for your reddit profile.
- Use unique and secure passwords. Don’t use the same password for different platforms. (Check out the password manager KeePass.)
- Consider using 2FA (but keep in mind that two factor authentication – particularly 2FA SMS – has known vulnerabilities).
- Skip the surveys.
- Be careful about revealing private information, such as employer, locations, and anything else that someone could use to track you down.
- Remember that there are many ways to identify you online – whether it is on reddit or anywhere else. This illustrates the need for using privacy tools, such as a secure browser, advertisement/tracking blockers, a good VPN to encrypt and anonymize your internet traffic, and more.
Of course, the precautions you take should correspond to your threat level. But as this recent hack shows, your data could end up in someone else’s hands.
With the latest example, reddit claimed it was also related to one of their partners, since the hack was carried out on “employees’ accounts with our cloud and source code hosting providers.”
Why Reddit needs to die
Reddit was an interesting and innovative platform back in the early days, but the creators quickly sold out to the Condé Nast media empire in 2006. Twelve years later, Reddit is now just another corporate, censored, privacy-abusing web platform.
This latest data breach is just another example illustrating why reddit needs to die. They have put their users’ privacy and security at risk and deliberately withheld this information after the hack.
And if you need some more reasons to say goodbye to reddit, here you go:
1. Reddit is heavily censored.
Reddit in 2018 is a joke. Many subs are censored and moderated by heavy-handed mods who will remove anything on a whim.
2. Reddit does not respect your privacy.
The latest case shows that clearly. To further illustrate this issue, reddit removed its surveillance warrant canary in 2016. As reported by Reuters, this suggests that reddit “is now being asked to hand over customer data” to various authorities and agencies.
3. Reddit has a distinct bias.
Many subs have been censored and shutdown for various reasons, upsetting long-time reddit users. This seems to be getting worse.
4. Reddit is boring.
Just like Facebook, Twitter, and other giant, censored media platforms, reddit has become stale and boring in 2018.
Aside from the free speech issues, the privacy violations are arguably the biggest reasons to leave reddit now.
If you are ready to consider other platforms, here are some reddit alternatives:
Time to jump ship.
also consider fediverse, https://joinmastodon.org/ among others
Reddit is a cesspool of karma whores and narcissists. They post anything and everything they do and others vote maliciously or follow the sheeple in how they vote.
I’m responding here only because it’s the most recent post that I’m aware of and am assuming that I will more likely to get a reply here. I currently use a Nexus6P device. I want a mobile phone that would be the most reasonably secure, allow me to be free of all Google products, allow me to customize it (based on the recommendations provided on this site) in a way as to maximize the greatest degree of privacy for a mobile device. What devices would you recommend (that are more economical)? What OS would you recommend? I have heard that Replicant OS & Lineage OS are not necessarily as secure as one would think. They don’t get the same degree of updated security patches that the “stock” OS does. I have heard that although rooting your device could help in customizing your phone for privacy, it could potentially compromise it in terms of security. Based on my limited knowledge, this currently seems a little overwhelming. I use my phone for business (need Excel sheets, calculator, calendar, internet, a Notepad) & social (communicating with friends & family). From what I understand it’s best to use Signal & Tutanota or ProtonMail for communication purposes. Use FDroid for getting apps (Limiting the amount of apps as much as possible). Turning off my location (I guess it would be better to just by a GPS device to use when needed that is it’s own separate device not in anyway connected to my mobile device). Use a VPN, etc. The issue is on which mobile device should I use as a platform for the above. My Nexus 6P is a Google Device. I am not aware as to how I could clear it of all Google products. Which OS should I use? IOS isn’t a good option. Although marketed as sich
*Continued: Blackberry, although marketed as such, is not necessary a reliable alternative OS & device for security & privacy. As I already mentioned, I use my phone for limited purposes. Business & social. I favor simplicity and order. How should I go about having a mobile device that is free of all Google products & is as reasonably secure & private as can be expected? What device & OS would be recommend? I know Replicant OS & Lineage OS claim to be security/privacy focused, but Replicant OS hasn’t had a security update since 2017 & can only be used on much older devices and I have heard much criticism of Lineage OS as it relates to being a truly secure/private alternative to “stock” Android. IOS isn’t an option. Blackberry seems very questionable. What do the “experts” in privacy/security matters recommend? It should be noted I live in the USA. I’m obviously far from tech savvy. However, I’m willing to learn what would be necessary in order to effectively & efficiently achieve the level of security & privacy that I desire.
The Librem 5 phone may be your best bet – when it is released.
https://puri.sm/shop/librem-5/
https://copperhead.co/android/store
You might have to drop them a line via their sales email, the buttons to buy seem to have vanished.
It was updated last in June 2018, they seem like a solid team of experts. Getting a model such as the Pixel XL could be a good option, I think you can even pay for it with Bitcoin.
I wasn’t concerned about Reddit in the slightest, I’d never used it & couldn’t see the point of it.
But the thing about it that caught my attention was the de-platforming of Alex Jones, in co-ordination with Facebook, Apple, Disqus, Spotify, Youtube & LinkedIn (he hadn’t touched LinkedIn in months), where “violation of terms of service” was quoted as the reasons behind the sequential removal.
When I saw Mark Zuckerberg appear before Congress, I knew that it was a bell-weather for things to come & far be it a sign of greater respect for privacy, it in fact would be the reverse & I’m in no doubt that a co-ordinated NGO smear campaign was the reason behind the Alex Jones removal.
Whether we like it or not, privacy is not the only issue regarding Big Tech, but our right to even insist on it is under threat, as there are discussion in the EU & US, about location verification, I.D submission etc for people who’re “publishers”.
This would include you Sven.
Reddit’s ideological bias, along with all the others, is going nowhere & eventually, you can see that web-hosters of Alt-tech, VPN…may become targets.
Hi Richard, yes, these developments in online censorship are certainly interesting. I’m keeping a close eye on how this plays out – but it’s not looking good long term.
Thanks a lot! I didnt found Raddle website. Could you write it here ? Regards.
I just added links to all the reddit alternatives in the article.
Thanks a Lot.
Hi, Sven.
I’d like to report that it’s necessary to verity the e-mail. Today I received a notification saying that I forgor to confirm the e-mail I used to register the account. I created it 2 days ago.
Sven! I am soooooo, sooooo, glad you wrote this blog. In addition to the reasons you have mentioned, Reddit must die because for the most part, they’re are trolls in packs who downvote very good posts and upvote the most asinine, and ludicrous posts too because they belong to their fellow trolls, all in the name of karma whoring. Should someone post and take a pic how well formed their feces is, no doubt the Reddit trolls will give it thousands of upvotes.