Reddit histories are often used to out people for unsavory public statements buried in the depths of the forum, but now, users may have something completely new to worry about, after Reddit announced that a hack exposed a segment of user information including private messages through May 2007.
The announcement came in a lengthy post on r/announcements from Reddit’s CTO Christopher Slowe (u/KeyserSosa). In the post, Slowe revealed that over a five day period in June, a hacker accessed multiple employee accounts by intercepting SMS-messages used in two-factor authentication, a security protocol meant to add an extra-layer to passwords.
While the hacker reportedly didn’t gain access to Reddit’s main systems, they did access backup data that contained user emails, usernames, salted hashed passwords, public posts, and private messages from 2005 through May 2007.
While Slowe repeatedly emphasized the age of the data breached, people who haven’t changed their passwords since then or who exchanged sensitive private messages may find little comfort in his reassurances.
It is true that far fewer users used Reddit in its early years than they do now. According to Statista, the number of subreddits has gone from 10,926 in 2008 to over 1,179,342. While there were likely many more than 10,926 users on Reddit in 2007, even the prospect of exposing that many people’s DMs is disturbing when you think of dystopic uses of private information, like blackmail or extortion. When reached for comment, Reddit would not specify how many accounts were actually compromised in the hack. They say they are working to message affected users.
But Reddit isn’t alone in having a data breach resulting in a DM leak. In January 2017, a hacker made off with 6-months of Jabber chat logs. In 2016, the “secure” messaging app Telegram was breached, exposing usernames and passwords of 15 million people, and thus, their texts. In 2018, NBC reported that a security flaw had allowed a man to gain access to messages and photos from the gay dating app Grindr’s 3 million daily users. And also in 2018, it was revealed that the popular fitness app PumpUp had a vulnerability that allowed access to the health data and private messages of its 6 million users.
While the violations are disturbing, Reddit users may not be surprised. This isn’t the first time the site itself has been hacked. In 2016, Reddit was hacked days before the election by someone who populated Reddit’s r/all frontpage with alt-Right stories. In May 2016, a hacker hijacked nearly 70 subreddits in the matter of a few weeks. That same year, Reddit was forced to reset 100,000 passwords after an uptick in hacked accounts, supposedly stemming from the giant LinkedIn hack affecting 100 million people.