The hacker also accessed Reddit logs that contained email digests sent between June 3 and June 17. The digests are short selections of popular posts recommended to users based on the subreddits they subscribe to. But the logs also connected user names with their associated email address. Reddit said that if a user doesn’t have an email address tied to their account or had selected not to receive email digests, then they are not affected by this aspect of the breach. Otherwise, the company recommends that users search their inboxes for emails sent by email@example.com between June 3 and June 17 to learn if they were affected.
For users whose account credentials were compromised, Reddit will force a password reset. Those users are also encouraged to think about whether they use that password on other sites. And for users whose email addresses were accessed through the email digest, Reddit said, “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.” The company also included instructions for users to remove their Reddit data.
The attack began after hackers targeted some Reddit employees between June 14 and June 18, compromising their accounts with Reddit’s cloud and source code hosting vendors, the company said. Reddit discovered the intrusion on June 19.
Reddit says the attacker could only access and read some of its systems that contained backup data and source code. The company said that since the intrusion it has bolstered its monitoring systems and has reported the breach to law enforcement, which is investigating.