Social media site Reddit has suffered a data breach, but has refused to disclose its scale.
The site said it discovered in June that hackers compromised several employees’ accounts to gain access to databases and logs.
They were able to obtain usernames and corresponding email addresses – information that could make it possible to link activity on the site to real identities.
The hackers were also able to access encrypted passwords from a separate database of credentials from 2007.
Reddit said it would inform those affected by the loss of historic data, but would not be getting in touch with those impacted by the potentially much larger breach – a decision which has baffled prominent, independent security researchers.
“This is personally identifiable data that’s been exposed in what is unequivocally a data breach, why on earth wouldn’t you notify people?” said renowned security researcher Troy Hunt, a specialist in data breaches affecting consumers.
“In the case where it’s mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually.”
‘Users are not to blame’
Instead, Reddit suggested users concerned should search their own inboxes to see if they have received an “email digest” from the firm between 3 and 17 June this year – the period of time for which hackers were able to obtain detailed logs on user activity and identity.
“If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address,” wrote Christopher Slowe, Reddit’s chief technology officer.
Prof Alan Woodward from the University of Surrey said Reddit should be doing more to protect its users.
“Their concept of putting the onus on the user to consider if they have any data they wouldn’t want linked to an address is really not on,” said Prof Woodward.
“Users are not to blame.”
Reddit said hackers were able to gain access to the firm’s information by breaching its measures for protecting employees’ credentials. It authenticated access with a text message-based two-factor authentication system. In other words, when staff logged in, they had confirm their identity by entering a code sent to them via text message.
The hackers, however, were able to intercept those text messages.
“We learned that SMS-based authentication is not nearly as secure as we would hope,” wrote Mr Slowe. He said the company has taken measures to make its systems more secure.
‘More authentic, more true’
Reddit said it discovered, on 19 June, that hackers had obtained two datasets.
The first related to old user data – from May 2007 – that contained usernames, email addresses and encrypted passwords. On Wednesday Reddit began informing users who may be included in this dataset.
But it’s the second part of the breach which could affect a far larger amount of people, and may have serious consequences for those who use Reddit under a pseudonym.
Hackers were able to access logs relating to the site’s email digest function, a service that sends a daily email containing the latest updates from the sections a user follows, known as subreddits.
These logs contained every email digest sent out over the 15-day period. Crucially, the logs contained both a person’s username and associated email address – providing hackers with a database from which a person’s real identity could potentially be discovered. These users are not being directly informed by the company.
The use of pseudonyms has been touted as one of Reddit’s greatest strengths. Speaking to The Atlantic, Reddit co-founder Steve Huffman said: “When people detach from their real-world identities, they can be more authentic, more true to themselves.”
Not all users receive the email digest, but for those signing up in the US, the feature is switched on by default. According to Reddit’s own advertising metrics, 20m people in the US visit Reddit every day. Its global user base is 330m – similar to Twitter.
When asked by the BBC, a spokesperson for Reddit refused to share any estimate for how many users may be affected. Nor would the person provide a figure for how many users were receiving the email digest at the time of the breach.
The company also did not respond to a follow up question asking for more details on how it plans to inform users directly about the risk.