Reddit – the popular forum owned by the Condé Nast (Advanced Publications) media empire – was recently in the news for a data breach that exposed private user information.
While it’s difficult to determine exactly how many people are affected – mainly because Reddit is not revealing much information – they did publicly acknowledge a “serious” data breach that gives third parties direct access to sensitive user data:
All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashedpasswords), email addresses, and all content (mostly public, but also private messages) from way back then.
Email digests sent by Reddit in June 2018
What was accessed:Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
If reddit discovered this hack all the way back in June, why did they wait until August to alert their users?
This situation also illustrates the vulnerabilities of two-factor authentication, as they revealed in their announcement:
Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
While 2FA isn’t a bad idea in many situations, it’s certainly no security silver bullet – as we’ve known for years. The admins at reddit should have known this – perhaps now they got the memo.
The second data breach mentioned, involving the email digests, is particularly concerning because it gives the hackers the account and user’s email address, thereby allowing them to link reddit users with real identities.
So the real question is how did this happen…
Perhaps someone inside reddit was paid to give access to the “hackers” – who knows. User data is very valuable, so that should not be ruled out.
Reddit privacy tips
Here are a few privacy tips, which could be applied to other platforms aside from reddit:
- Don’t use your real name on reddit or other social media.
- Don’t use your real email. On reddit, you can register with a completely fictitious email address – no email verification required. But if you still want to get email notifications, you can set up a free secure email account (such as with Tutanota or Mailfence) and use it as necessary for your reddit profile.
- Use unique and secure passwords. Don’t use the same password for different platforms. (Check out the password manager KeePass.)
- Consider using 2FA (but keep in mind that two factor authentication – particularly 2FA SMS – has known vulnerabilities).
- Skip the surveys.
- Be careful about revealing private information, such as employer, locations, and anything else that someone could use to track you down.
- Remember that there are many ways to identify you online – whether it is on reddit or anywhere else. This illustrates the need for using privacy tools, such as a secure browser, advertisement/tracking blockers, a good VPN to encrypt and anonymize your internet traffic, and more.
Of course, the precautions you take should correspond to your threat level. But as this recent hack shows, your data could end up in someone else’s hands.
With the latest example, reddit claimed it was also related to one of their partners, since the hack was carried out on “employees’ accounts with our cloud and source code hosting providers.”
Why Reddit needs to die
Reddit was an interesting and innovative platform back in the early days, but the creators quickly sold out to the Condé Nast media empire in 2006. Twelve years later, Reddit is now just another corporate, censored, privacy-abusing web platform.
This latest data breach is just another example illustrating why reddit needs to die. They have put their users’ privacy and security at risk and deliberately withheld this information after the hack.
And if you need some more reasons to say goodbye to reddit, here you go:
1. Reddit is heavily censored.
Reddit in 2018 is a joke. Many subs are censored and moderated by heavy-handed mods who will remove anything on a whim.
2. Reddit does not respect your privacy.
The latest case shows that clearly. To further illustrate this issue, reddit removed its surveillance warrant canary in 2016. As reported by Reuters, this suggests that reddit “is now being asked to hand over customer data” to various authorities and agencies.
3. Reddit has a distinct bias.
Many subs have been censored and shutdown for various reasons, upsetting long-time reddit users. This seems to be getting worse.
4. Reddit is boring.
Just like Facebook, Twitter, and other giant, censored media platforms, reddit has become stale and boring in 2018.
Aside from the free speech issues, the privacy violations are arguably the biggest reasons to leave reddit now.
If you are ready to consider other platforms, here are some reddit alternatives:
Time to jump ship.