On Wednesday 1 August 2018, Reddit published information on its forum confirming that in June 2018, all data created on Reddit between 2005-2007 – including users’ protected passwords and email addresses – had been compromised.
In addition, current usernames and corresponding email addresses were obtained from weekly email digests that roundup top Reddit posts. Reddit’s full statement can be found here.
Attackers may use this stolen personal data to approach people, and attempt to trick them into revealing more information (such as banking login details).
What should I do?
- If you haven’t changed your Reddit password since 2008, change it now (see Cyber Aware’s advice on creating a good password that you can remember.
- Enable two-factor authentication for important accounts, where you can. Even SMS-based two-factor is much better than none.
- Be wary of unsolicited emails, phone calls or SMS messages, asking you to disclose further personal details. Some scams can be very convincing and attackers may use your personal data to make them look even more realistic. Report suspicious emails, phone calls or SMS messages to Action Fraud.
- Now would be a good time to check if your account has appeared in any other public data breaches. Visit https://haveibeenpwned.com, enter your email address and go from there.
What else do I need to know?
Private messages sent before 2008 through the site may have been leaked, which could cause concern to some users. For modern data, the breach of privacy was minimal (you might be able to infer that someone is a member of a ‘niche’ reddit group from the email digest they are sent).