What happened
On August 1, 2018, Reddit disclosed a security breach in which an attacker compromised several employee accounts between June 14 and June 18 by intercepting SMS-based two-factor-authentication codes. The intruder gained read-only access to systems holding a 2007 database backup, exposing usernames, salted and hashed passwords, email addresses, and old content, including some private messages, for users registered before May 2007.
Reddit also reported that the attacker accessed source code, internal logs, and email digests sent in June 2018. In response, the company moved staff off SMS-based authentication and onto token-based two-factor authentication and notified affected users. The incident became an often-cited demonstration that SMS-delivered codes can be intercepted, and it pushed Reddit toward stronger internal account-security practices.