REDDIT has announced a major security breach that's left user details exposed – but what exactly was lost?

We reveal the inner workings of the hack, and explain how you might be at risk, and what you should do next.

3 Reddit is the third most visited website in the US, and sixth in the world Credit: handout

Reddit hack explained – what actually happened?

A hacker managed to break into Reddit's systems, exposing user info.

The breach took place between June 14 and June 18, but Reddit didn't find out until June 19.

Reddit only revealed the breach to the public on August 1, a whole 12 days after the incident.

"We’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again," Reddit explained.

3 Reddit is made up of mini-forums where people gather to discuss certain topics, like technology or movies Credit: Alamy

Reddit breach – how did the hacker get into Reddit's systems?

Reddit employees use something called two-factor authentication on their accounts.

That means they not only have to enter a password to log in, but they also need to receive a special code sent via text.

It's a common way to protect your account from people who have nicked your password.

But Reddit says the attacker managed to intercept the SMS text message, granting access to staff accounts.

Reddit says "a few" staff members had their accounts compromised, adding: "We learned that SMS-based authentication is not nearly as secure as we would hope."

As a result, Reddit is now switching to a token system – which involves buying a physical fob that produces log-in codes instead.

The attacker wasn't able to make any changes to Reddit, but they gained access to private user files.

"The moral of this story is that SMS based 2-factor authentication should not be considered “strong” in the face of a determined attacker," said Craig Young, security researcher at Tripwire.

Reddit hacked data – what info was stolen in the breach?

There were two main bits of info stolen in the Reddit attack.

The first was all Reddit data from 2007 and before, so if you were an early member then the following was made available to the attacker:

Username

Passwords (encrypted, rather than plain text)

Email addresses

All content on the site

Private messages

This is obviously extremely bad, and will likely be very concerning to some users who hoped they were using Reddit anonymously.

If you are an affected user, you'll receive a message with a warning. You'll also find your password has been reset if your stolen credentials might still be valid.

Importantly, this part of the breach only affects users who signed up before 2007.

The second part of the breach potentially affects all users, but is potentially less damaging.

Hackers gained access to email digests sent between June 3 and June 17, 2018.

Email digests are personalised newsletters, which show off some of the top posts from subreddit forums you follow.

3 Here's an example of an official Reddit email digest Credit: Reddit

Importantly, they only contain posts from safe-for-work subreddits – rather than from the hundreds of porn sub-forums available on the site.

These hacked digests reveal:

Your username

The email address associated with your username

Some of the subreddits you follow

If you don't have an email address associated with your account, you're not affected by this part of the breach.

Similarly, if you had email digests turned off during the breach period, you're safe.

Otherwise, Reddit advises you to search your email inbox for emails from noreply@redditmail.com between June 3 and June 17, 2018.

Reddit hack – what do the experts say? Robert Capps, vice president at NuData Security, a Mastercard company, said... Fortunately, this Reddit breach doesn’t include credit card information.

However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked.

From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.

Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the steps Reddit is taking and letting its community know what they should watch for and do.

However, continued reliance on static information to authenticate a user will continue to expose companies to those breaches carried out through admin accounts.

This is why many customer-facing organisations that transact online are adopting multi-layered technology solutions that incorporate passive biometrics and behavioural analytics technology.

This technology helps make stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data.

Reddit hack safety – what do you need to do next?

After any breach, it's advisable to change your password immediately.

If you use the same passwords on several accounts, change those log-in details too.

The fact that the leaked passwords were encrypted isn't good enough, sadly.

"Attackers use this information in a few ways," said Travis Biehn, technical strategist at Synopsys.

"First up, they’ll try account name and password pairs on other websites, exchanges, banks, and so on.

"Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90% of original password values."

MOST READ IN TECH LIKE MAGIC Mystery over 'fairy circles' in African desert solved using Alan Turing theory NEXT TOP MODEL PS5 sold out almost EVERYWHERE – here's where you might still get one today APPSOLUTE MADNESS iPhone WARNING over 4 dangerous iOS apps that drain your battery X FACTOR Xbox Series X and S pre-orders won't return until NOVEMBER, Microsoft hints I-TRY iPhone update tips and tricks – from widgets to taking screenshots using 'back tap' TECHCELLENT Amazon unveils flying drone camera that chases burglars from your home

If you've used Reddit under the guise of anonymity to post anything you don't want linked to your public life, we recommend deleting the old content – or even your Reddit account.

And it's worth taking this incident as a warning that SMS two-factor authentication isn't completely secure, and that it may be worth investing in a physical authenticator key.

Google employees use the Yubico key, which can be bought on Amazon relatively cheaply:

Yubico Security Key at Amazon for £27.65 – buy now

Koby Kilimnik, security researcher at Imperva, adds: "If you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database."

Are you worried about the Reddit hack attack? Let us know in the comments!

We pay for your stories! Do you have a story for The Sun Online news team? Email us at tips@the-sun.co.uk or call 0207 782 4368 . We pay for videos too. Click here to upload yours.