Security News

SMS intercept creates data breach at Reddit

Avast Security News Team, 2 August 2018

Reddit reported a data breach this week, and here’s what you need to know.

Social website Reddit announced this week that they suffered a data breach in June. In its official statement, the company calls the breach a “security incident” and provides a detailed account of how it happened.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” the statement reports. It goes on to admit this was a learning experience in security protocols: “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

The attacker gained “read only’” privileges in the Reddit system and no “write” privileges, so it could not inject false data or malware onto it. The information was viewed, copied, and stored for potential nefarious use at a later date. Reddit reports the data in question is everything from the website’s inception in 2005 through May 2007, plus “email digests” sent in June 2018. Email digests are essentially pages of recommended content customized to the user through automated logarithms. The company says it has sent informational messages to all users who have been affected. 

“I wish all companies were as transparent as Reddit is,” comments Avast security evangelist Luis Corrons. “I am impressed that 13 years ago they only stored hashes of salted passwords, as we have seen in some other breaches how companies just store hashes of the original passwords — and in some worse cases passwords, in plain text! Anyway, anyone registered on Reddit should change their password to be on the safe side.”

“It does not matter the security measures you have in place,” Luis continues. “If an attacker with enough funding goes after you, he will succeed. And this was the case with Reddit. What makes a difference here is the ability to detect the breach. In many cases the victim does not know about the breach until a third party (law enforcement) contacts them or data is leaked. We are talking months or years later. Here Reddit was able to detect the attack within 5 days, stopping the attackers in time to avoid further damage.”

If you were a victim of the Reddit data breach, or simply want to take measures to better secure your own data, Avast recommends:


  1. Change your passwords — Your login credentials are the keys to your kingdom. Never use the same password for more than one account, and make each of your passwords long multiple word phrases — the longer, the better.  If you find you are part of a breach, change your passwords immediately.

  2. Use a password manager — You don’t need to worry about remembering all those unique, complex passwords when you have a password manager, because it does all the remembering for you. Better yet, use a password manager to generate long, complicated passwords for you. Avast Passwords is included in all Avast antivirus suites, including Avast Free Antivirus