Data Breach

Reddit Breach: What You Need to Know

Reddit has discovered a "security incident" in which hackers broke into Reddit's systems, the popular social aggregation and messaging site announced Wednesday.

User data that was part of the breach includes current email addresses, along with usernames, and passwords from a 2007 database. The company has not released how many of its 330 million global users were affected by the breach.

It's a fact of life that your personal data lives in many places on the web, and with security breaches becoming increasingly common, it's likely that your information is out there in some form. That's why it's smart to protect yourself by monitoring your identity.

You can start by getting your free Experian credit report to determine whether there are any accounts opened in your name. You can also run a free dark web scan to find out if information like your Social Security number, phone number, or email addresses are on the dark web.

Reddit Breach: Here's What Happened

On June 19, Reddit learned that between June 14 and June 18, hackers were able to access two databases through Reddit employees' accounts.

The first database included early Reddit user data, from the site's launch in 2005 through May 2007. User information that was accessed by intruders includes usernames, passwords that have been obscured—Reddit has not released the level of security used to scramble them, so passwords could still be at risk—email addresses, and all content, including postings and private messages, from that period.

The second database accessed by hackers contained all the logs for the email digests sent out by Reddit between June 3 and June 17, 2018. User information in that database includes email addresses, usernames, and the names of any safe-for-work subreddits users are subscribed to. (All Reddit users don't necessarily receive an email digest, but for users in the U.S., the digest setting is on by default.)

Reddit says the company has reported the breach to law enforcement officials, who are conducting an investigation. Meanwhile, Reddit is implementing additional security measures like "enhanced logging, more encryption and requiring token-based two-factor authentication."

On its breach announcement page, the company stressed "the attacker did not gain write access to Reddit systems....they were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems."

How Do You Know If Your Information Was Affected?

If your information was part of the database from 2005-2007, Reddit is "sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you're clear here. Check your PMs and/or email inbox: we will be notifying you soon if you've been affected."

However, you'll have to figure out yourself if your information was included in the second database. "If you don't have an email address associated with your account or your ‘email digests' user preference was unchecked during that period, you're not affected," the company wrote on its breach announcement page. "Otherwise, search your email inbox for emails from between June 3-17, 2018."

What to Do If You're A Redditor

One of the issues related to this breach is privacy. Reddit provides a "safe space" for users to post without their messages being linked to their real identities. However, since hackers were able to access both email addresses and usernames, it's possible that Redditors' real identities could be revealed.

If you're worried about this, check out the Reddit help page on how to remove user data like posts, private messages, and chats.

The company also suggests that users enable two-factor authentication on their accounts (that uses a third-party authenticator app). Find instructions on how to do so here.

You should update your password on your Reddit accounts, and if you use the same password in other places then you should change those passwords as well -- especially if your information was accessed in the first database. For more information on how to create secure passwords, check out Experian's guide here.

How to Protect Your Identity Online

Finally, beware of phishing scams in which fraudsters use the information they know about you, like your Reddit username, to get you to divulge personal information through email. Scammers do this by embedding hyperlinks into emails (or even text messages) that direct you to sites intended to collect your personal information or install malware onto your computer.

As a rule of thumb, do not click on links sent through email, especially if they are asking you to give up personal information. There are several variations of phishing scams—including spear phishing, angler phishing, and smishing—but the bottom line is you should always be vigilant when being asked to enter any personal information online or via text.

If you're worried that you are a victim of identity theft, consider filing a free initial security alert on your credit file that remains active on your account for 90 days at the Experian fraud center. (File it with one credit bureau, and you're good to go because the bureaus will share such alerts with their counterparts.) The fraud alert notifies lenders pulling your credit report to take extra steps to verify your identity.

But remember, fraud alerts do not block access to your credit reports. One way to do that is to freeze your credit reports, a measure that prevents lenders from issuing new credit in your name altogether.

Another is through Experian CreditLock, a benefit offered by Experian's CreditWorksSM and IdentityWorksSM products, which:

  • Allows you to easily lock or unlock your report in real time, with no waiting period.
  • Provides daily monitoring of your credit file, which means you will be alerted about any new activity, including new account openings.
  • Provides up to $1 million in identity theft insurance: If you become a victim of identity theft, you can be covered for the costs of restoring your identity, like fraudulent electronic fund transfers, lost wages, legal fees and travel expenses.
  • Gives you access to your Experian credit report and FICO® Score* , along with all the other benefits of Experian membership, such as Dark Web monitoring to protect your identity.