Reddit has announced that a hacker broke into its IT systems, allowing him/her access to private user data, including current email addresses and a 2007 database backup containing old passwords.
The attacker didn’t gain full access to people’s private information. Instead, he/she gained access to read-only systems that contain backup data, source code and other logs.
“Fortunately, this Reddit breach doesn’t include credit card information. However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked,” commented Robert Capps, Vice President, NuData Security, a Mastercard company.
Reducing the risk
“From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.”
Reddit is now working with source code and cloud hosting providers to get the best possible understanding of what data the attacker accessed.
David Emm, Principal Security Researcher at Kaspersky Lab, adds, “passwords are here to stay in the short term, so it’s important that we get them right. It’s easier within a corporate context, where an organisation can set rules around setting these, like length and character type, but harder as a consumer, as we are faced with numerous online providers that might (and do) have their own rules and where there is, therefore, no consistency.
“It’s important to remember that we use a password to confirm our identity. So often today our e-mail address is the identity itself (i.e. our username). Many people have just one e-mail address and it’s often easy to guess, which compounds the problem.”
Secure your passwords!
Kaspersky Lab recommends the following advice to customers when choosing a new password:
- Make every password at least 15 characters long –but the longer the better.
- Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
- Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
- Combine letters (including uppercase letters), numbers and symbols.
- Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
- Use a different password for each account to prevent all of your accounts becoming vulnerable. If you find it hard to remember unique complex passwords, use a password manager to help you create, store and remember your passwords securely.
- Make use of two-factor authentication where available, as it adds an extra layer of security.
- If you suspect your password has been compromised, change it immediately.
If you’re a Reddit user looking to secure your data, here’s how to remove private information from your account on this help page.
Written by Leah Alger