Reddit – the popular forum owned by the Condé Nast (Advanced Publications) media empire – was recently in the news for a data breach that exposed private user information.
While it’s difficult to determine exactly how many people are affected – mainly because Reddit is not revealing much information – they did publicly acknowledge a “serious” data breach that gives third parties direct access to sensitive user data:
All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashedpasswords), email addresses, and all content (mostly public, but also private messages) from way back then.
Email digests sent by Reddit in June 2018
What was accessed:Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
If reddit discovered this hack all the way back in June, why did they wait until August to alert their users?
This situation also illustrates the vulnerabilities of two-factor authentication, as they revealed in their announcement:
Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
While 2FA isn’t a bad idea in many situations, it’s certainly no security silver bullet – as we’ve known for years. The admins at reddit should have known this – perhaps now they got the memo.
The second data breach mentioned, involving the email digests, is particularly concerning because it gives the hackers the account and user’s email address, thereby allowing them to link reddit users with real identities.
So the real question is how did this happen…
Perhaps someone inside reddit was paid to give access to the “hackers” – who knows. User data is very valuable, so that should not be ruled out.
Reddit privacy tips
Here are a few privacy tips, which could be applied to other platforms aside from reddit:
- Don’t use your real name on reddit or other social media.
- Don’t use your real email. On reddit, you can register with a completely fictitious email address – no email verification required. But if you still want to get email notifications, you can set up a free secure email account (such as with Tutanota or Mailfence) and use it as necessary for your reddit profile.
- Use unique and secure passwords. Don’t use the same password for different platforms. (Check out the best password managers.)
- Consider using 2FA (but keep in mind that two factor authentication – particularly 2FA SMS – has known vulnerabilities).
- Skip the surveys.
- Be careful about revealing private information, such as employer, locations, and anything else that someone could use to track you down.
- Remember that there are many ways to identify you online – whether it is on reddit or anywhere else. This illustrates the need for using privacy tools, such as a secure browser, advertisement/tracking blockers, a good VPN to encrypt and anonymize your internet traffic, and more.
Of course, the precautions you take should correspond to your threat level. But as this recent hack shows, your data could end up in someone else’s hands.
With the latest example, reddit claimed it was also related to one of their partners, since the hack was carried out on “employees’ accounts with our cloud and source code hosting providers.”
Why Reddit needs to die
Reddit was an interesting and innovative platform back in the early days, but the creators quickly sold out to the Condé Nast media empire in 2006. Twelve years later, Reddit is now just another corporate, censored, privacy-abusing web platform.
This latest data breach is just another example illustrating why reddit needs to die. They have put their users’ privacy and security at risk and deliberately withheld this information after the hack.
And if you need some more reasons to say goodbye to reddit, here you go:
1. Reddit is heavily censored.
Reddit in 2018 is a joke. Many subs are censored and moderated by heavy-handed mods who will remove anything on a whim.
2. Reddit does not respect your privacy.
The latest case shows that clearly. To further illustrate this issue, reddit removed its surveillance warrant canary in 2016. As reported by Reuters, this suggests that reddit “is now being asked to hand over customer data” to various authorities and agencies.
3. Reddit has a distinct bias.
Many subs have been censored and shutdown for various reasons, upsetting long-time reddit users. This seems to be getting worse.
4. Reddit is boring.
Just like Facebook, Twitter, and other giant, censored media platforms, reddit has become stale and boring in 2018.
Aside from the free speech issues, the privacy violations are arguably the biggest reasons to leave reddit now.
If you are ready to consider other platforms, here are some reddit alternatives:
Time to jump ship.
I recently discovered pushshift.io which is a reddit user who scrapes the entirety of reddit (sub, author, post title, post, date….etc) including PRIVATE subs. The worst thing he’s able to do is retrieve ALL (agoing back all years) of your deleted comments which baffles me. He launched a site where you can enter a user name and retrieve all their deleted comments and posts. That was the end for me.
https://www.reddit.com/r/TOR/comments/jvrty6/lies_everywhere/
They talked about you here.
And yes, nord and express vpn are well lets say too many advertisements about them, its getting too much even if they are as good as they claimed.
Also, i read somewhere ,i forgot now that nord vpn office i think secretly moved to #murica, so yeah.
Like I said in my Tor article, Tor followers will scream “FUD” or whatever, but they can never deny the facts or prove any of my claims wrong. They can only whine and hang out on reddit with like-minded sheep. Tor is like a cult, and reddit is an echo chamber of Group Think for these types.
PSA: VOAT is mainly alt-right (read: not conservative, not right aligned, but extreme alt-right). Not judging anyone for browsing it, just know that if your a normal person you might not enjoy it
Hey Sven,
This is a subject/topic I’d like to see pinned to your home page.
If you offered a few smaller tiles pinned at the top (one like this),
it’d be visible all the time for it’s value to whoever lands here…
If – most readers are like me, I don’t really have nothing to hide or even to say.
As for it’s all a digital trail tangled up on the web, laying scattered out in digital bit’s and pieces, STILL piece-able in to of my anythings renderings that could possible get me in trouble – especially as time marches on.
I’ll try to be nice – but human as well, as I see it – – I’m no god or lest a welcoming mat…
(sometimes like Fire & Ice in the same volume sphere – I’ll mash gears with people)
The thing I think everybody can relate too – ‘I just don’t like being digital tracked’.
Main thing is, if (you guys) don’t use a VPN – watch what you say. And if you say the wrong things on social media, in an email, txt or etc… as it’s all digital – they will contact the police on there own !
https://html2-f.scribdassets.com/12b7dv2agw7hmpxy/images/4-b32a49acc3.jpg
Reddit – – – has just done it this month, as they sent the local law enforcement a users IP in a email, because he made threats on their site.
Note:
If its your mom or bothers-in-laws, library’s down the street IP address you’ve used. It’s still going to come back on you…
This guy (image link) was using a Apple iPhone 11 by the way.
Probe packets are sent out periodically to let your device sense which networks you can join. All a retailer needs to do to track your location is collect the timestamps that your device’s probes arrive at their anchors.
Some users may erroneously believe that encryption protects them from this kind of tracking, but only packet payloads (not headers) are encrypted.
Sequence numbers and source IDs are contained in the UWB standard packet headers.
https://freedom-to-tinker.com/2019/12/21/every-move-you-make-ill-be-watching-you-privacy-implications-of-the-apple-u1-chip-and-ultra-wideband/
also consider fediverse, https://joinmastodon.org/ among others
Reddit is a cesspool of karma whores and narcissists. They post anything and everything they do and others vote maliciously or follow the sheeple in how they vote.
I’m responding here only because it’s the most recent post that I’m aware of and am assuming that I will more likely to get a reply here. I currently use a Nexus6P device. I want a mobile phone that would be the most reasonably secure, allow me to be free of all Google products, allow me to customize it (based on the recommendations provided on this site) in a way as to maximize the greatest degree of privacy for a mobile device. What devices would you recommend (that are more economical)? What OS would you recommend? I have heard that Replicant OS & Lineage OS are not necessarily as secure as one would think. They don’t get the same degree of updated security patches that the “stock” OS does. I have heard that although rooting your device could help in customizing your phone for privacy, it could potentially compromise it in terms of security. Based on my limited knowledge, this currently seems a little overwhelming. I use my phone for business (need Excel sheets, calculator, calendar, internet, a Notepad) & social (communicating with friends & family). From what I understand it’s best to use Signal & Tutanota or ProtonMail for communication purposes. Use FDroid for getting apps (Limiting the amount of apps as much as possible). Turning off my location (I guess it would be better to just by a GPS device to use when needed that is it’s own separate device not in anyway connected to my mobile device). Use a VPN, etc. The issue is on which mobile device should I use as a platform for the above. My Nexus 6P is a Google Device. I am not aware as to how I could clear it of all Google products. Which OS should I use? IOS isn’t a good option. Although marketed as sich
*Continued: Blackberry, although marketed as such, is not necessary a reliable alternative OS & device for security & privacy. As I already mentioned, I use my phone for limited purposes. Business & social. I favor simplicity and order. How should I go about having a mobile device that is free of all Google products & is as reasonably secure & private as can be expected? What device & OS would be recommend? I know Replicant OS & Lineage OS claim to be security/privacy focused, but Replicant OS hasn’t had a security update since 2017 & can only be used on much older devices and I have heard much criticism of Lineage OS as it relates to being a truly secure/private alternative to “stock” Android. IOS isn’t an option. Blackberry seems very questionable. What do the “experts” in privacy/security matters recommend? It should be noted I live in the USA. I’m obviously far from tech savvy. However, I’m willing to learn what would be necessary in order to effectively & efficiently achieve the level of security & privacy that I desire.
The Librem 5 phone may be your best bet – when it is released.
https://puri.sm/shop/librem-5/
https://copperhead.co/android/store
You might have to drop them a line via their sales email, the buttons to buy seem to have vanished.
It was updated last in June 2018, they seem like a solid team of experts. Getting a model such as the Pixel XL could be a good option, I think you can even pay for it with Bitcoin.
I wasn’t concerned about Reddit in the slightest, I’d never used it & couldn’t see the point of it.
But the thing about it that caught my attention was the de-platforming of Alex Jones, in co-ordination with Facebook, Apple, Disqus, Spotify, Youtube & LinkedIn (he hadn’t touched LinkedIn in months), where “violation of terms of service” was quoted as the reasons behind the sequential removal.
When I saw Mark Zuckerberg appear before Congress, I knew that it was a bell-weather for things to come & far be it a sign of greater respect for privacy, it in fact would be the reverse & I’m in no doubt that a co-ordinated NGO smear campaign was the reason behind the Alex Jones removal.
Whether we like it or not, privacy is not the only issue regarding Big Tech, but our right to even insist on it is under threat, as there are discussion in the EU & US, about location verification, I.D submission etc for people who’re “publishers”.
This would include you Sven.
Reddit’s ideological bias, along with all the others, is going nowhere & eventually, you can see that web-hosters of Alt-tech, VPN…may become targets.
Hi Richard, yes, these developments in online censorship are certainly interesting. I’m keeping a close eye on how this plays out – but it’s not looking good long term.
Thanks a lot! I didnt found Raddle website. Could you write it here ? Regards.
I just added links to all the reddit alternatives in the article.
Thanks a Lot.
Hi, Sven.
I’d like to report that it’s necessary to verity the e-mail. Today I received a notification saying that I forgor to confirm the e-mail I used to register the account. I created it 2 days ago.
Sven! I am soooooo, sooooo, glad you wrote this blog. In addition to the reasons you have mentioned, Reddit must die because for the most part, they’re are trolls in packs who downvote very good posts and upvote the most asinine, and ludicrous posts too because they belong to their fellow trolls, all in the name of karma whoring. Should someone post and take a pic how well formed their feces is, no doubt the Reddit trolls will give it thousands of upvotes.