A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.
On June 19, Reddit learned that between June 14 and June 18, an attacker compromised a few of employees’ accounts with Reddits cloud and source code hosting providers. Already having Reddits primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), Reddit learned that SMS-based authentication is not nearly as secure as Reddit would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Read more here: