Reddit hack exposes old private messages

The internet is forever, and, yes, that apparently includes your old Reddit private messages.

The so-called front page of the internet today announced that it suffered a hack in June, and, as a result, Reddit private messages from 2005 to 2007 are now in the hands of the as-of-yet unknown culprits.

That's right, your finely aged secret memes are on the loose. Oh, and also your email addresses and account credentials.

"A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007 [was accessed]," explains a statement from the company. "In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then."

According to the statement, Reddit plans to notify all affected users and reset passwords for accounts that might still be using decade-old passwords. Importantly, the company insists, if you got your first Reddit account post-2007 you're in the clear.

We reached out to Reddit in an attempt to determine if long-deleted accounts from back in the day were affected in any way, but did not receive an answer to that question as of press time.

So how did this happen? It appears that SMS-based two-factor authentication played a key role.

"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," notes the statement. "We point this out to encourage everyone here to move to token-based 2FA."

Indeed, while 2FA is a vital security tool, it does have its weak points. Dedicated hackers can potentially intercept codes sent via SMS by exploiting a flaw in what is known as the Signaling System 7 protocol (SS7), or simply phish the code. A physical security token, as endorsed by Google, is much more secure.

Reddit is working with law enforcement to investigate the hack, and in the meantime encourages all its users to set up 2FA with an authenticator app.

And, although Reddit doesn't officially recommend this, if you have a super old Reddit account it's worth your time to take a walk down your private message memory lane to double check you didn't reveal anything of value in your old PMs. Because having a hacked 12-year-old private message come back to bite you in the ass is probably not how you want to start your day.