Reddit said it was messaging user accounts "if there's a chance the credentials taken reflect the account's current password" and has urged users to check their Reddit inboxes as well as their emails to establish if they were affected by either breach.
A user known as DangerousRabbit asked: 'I suppose best practice for "data hygiene" is to assume that nothing you delete on a service is ever really gone, but is this officially standard practice at Reddit? Reddit says hackers were able to intercept the platform's SMS-based 2-factor authentication (2FA) system. Crucially, the logs contained both a person's username and associated email address - providing hackers with a database from which a person's real identity could potentially be discovered. Together, these details could.
Attackers gained read-only access to systems with backup data, source code, and "other logs".
If the passwords haven't been properly salted (unique salt for each password), the attacker might recover some of them relatively quickly and might try to use the compromised account name and password pairs on other websites.
"On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees' accounts with our cloud and source code hosting providers", according to Reddit.
While Reddit uses two-factor authentication to protect staff logins, the challenge and response codes were transmitted out-of-band via SMS, which were intercepted by the hackers.
Speaking to the BBC, prominent security researcher Troy Hunt, whose speciality lies in data breaches affecting consumers, revealed the extent of his incredulity: "This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?" From affected accounts to security precautions, here's everything you should know about the attack.
If it's the latter then the risk here would be for the probably small group of users who haven't changed their password since then or did change it but used it on other sites without updating it there too.
That means they not only have to enter a password to log in, but they also need to receive a special code sent via text.
And it's worth taking this incident as a warning that SMS two-factor authentication isn't completely secure and that it may be worth investing in a physical authenticator key.
The internet is forever, and, yes, that apparently includes your old Reddit private messages.
It will also be communicated to the affected users that their data has been accessed and what access has been made.