digg

Facebook Connect Join Digg About

User Data Stolen From Reddit

themulife.com Reddit has had a pretty rough week. After facing a complete site outage due to DNS issues, the site is now reporting that media containing a backup of a portion of Reddit’s database was recently stolen, possibly compromising the users’ email addresses:

Who dugg this? Made popular Dec 15, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

38 Comments

show profanity settings
expand all
  • YourTechSupport, on 10/12/2007, -1/+34I heard the founder is a giant chicken!
  • msaleem, on 10/12/2007, -0/+28I tried submitting the actual link to their site, but Digg said it was an invalid link. You don't have to go to the linked article (my blog) you can just go here:

    http://reddit.com/blog/theft
  • admirabumblebee, on 10/12/2007, -0/+24I dont sign up to websites with an email address that I care about... I feel safer!
  • armbar, on 10/12/2007, -0/+16Your name is Herman G., you live in Northridge, CA, your email is [yourdiggusername]@hotmail.com (at least one of them is, anyway)

    That worked pretty well, thanks for the suggestion.
  • HMTKSteve, on 10/12/2007, -2/+17I also read that they stored passwords in plaintext, not a hash!!!
  • LR2_, on 10/12/2007, -2/+16Even if the passwords are in md5 hash, the passwords are easily compromised with the right equipment. Also, there are various websites that offer free md5 hash searching using rainbow tables. Anyone that used a primary password should change it.
  • armbar, on 10/12/2007, -0/+10Doesn't make much of a difference now; they already have your address :)

    Let the v14g4ra emails commence!
  • sporkmonger, on 10/12/2007, -0/+9@LR2:

    Which is why you use properly salted SHA1 hashes if you're a responsible site operator. That way the hashes are only applicable to your site and no other. Makes stuff like http://md5.rednoize.com/ completely ineffective.
  • Xepo, on 10/12/2007, -1/+9Er, I think I'd be a bit more worried that the passwords were stolen than the email addresses. Lots of people use the same password in a lot of places (though hopefully you wouldn't use the same password for a site like this and for something actually important).

    What the hell were they doing actually storing the passwords, anyway? Ever hear of this technique from the '80s called hashing?
  • HMTKSteve, on 10/12/2007, -4/+11Hmmm....

    Sounds like a banning offense!

    Oh No! Catch-22! Is it blog spam or is it one of those linking to a blocked website types of things!

    Watch out for the Digg Secret Bury police!

    OMG Lazerz pew pew pew...
  • inactive, on 10/12/2007, -0/+61 2 3 4 5? Amazing! I have the same combination on my luggage!
  • catch-22, on 10/12/2007, -5/+11mmmmm... salted hashes... is anyone else getting hungry from this thread?
  • deacont23, on 10/12/2007, -0/+6So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
  • remiprev, on 10/12/2007, -0/+5Spaceballs rocks.
  • stryker2you, on 10/12/2007, -0/+5Darn, so now someone has my info...I hope they don't find out I use the password superdude for everything.
  • AhmedF, on 10/12/2007, -0/+5$salt = genSalt(3); //3 letters long
    $enc_pw = sha1(md5($original_pw),$salt);

    Whew that was tough.
  • dchesterton, on 10/12/2007, -0/+4It doesn't matter what type of encryption you use, whether it be MD5, SHA-1 or SHA-512, all are equally prone to a dictionary attack. For best results you should include a hard coded salt, applicable to all passwords and stored outside of the database and a random salt for every user. This way even if the attacker gets the random salt they still can't dictionary attack it.

    I highly doubt such a high profile site as reddit would have stored passwords as plain-text, it would be an incredibly foolish thing to do.
  • cinnix, on 10/12/2007, -1/+5Oh lord, This means that all my "low-prority" passwords could possibly be comprimised, and that all my timewasting websites are due for a potential hijacking. I dont care about my email address at all, but if my account details are compromised I'm going to be pretty pissed.

    *Changes Digg password*
  • digitalunltd, on 10/12/2007, -0/+4Wow how could this happen!!! I mean Aaron runs a real company, not a "infantilizing" company like Google. Like Aaron says: "Google's famed secrecy doesn't really do a very good job of keeping information from competitors. Those who are truly curious can pick up enough leaks and read enough articles to figure out how mostly everything works."

    Well at least they keep user data out of the hands of thieves!
  • djscruffee, on 10/12/2007, -0/+3i just moved over here from reddit. most times it's just annoying dreck. the voting system drives me nuts and it doesn't have categories.
  • YourTechSupport, on 10/12/2007, -0/+2Get something like KeePass Password Safe. I started using it a couple weeks ago. It can generate some nice passwords and you can drag and drop them from the list into mozilla :D
  • ChewyBass, on 10/12/2007, -3/+5Does anyone have a link to the torrent. I'd like to download and reddit just for fun.
  • drawkbox, on 10/12/2007, -0/+1So the question is does digg hash their pwds? I doubt it. Most simple services like social bookmarking I bet do not.
  • AhmedF, on 10/12/2007, -1/+2Oops I meant . instead of ,

    You get the idea :)
  • onebigword, on 10/12/2007, -1/+2^ in reference to one of the reddit guy's blog post about Google's working conditions. There's a very fun comment thread after the blog post.
    http://www.aaronsw.com/weblog/googlife
  • inactive, on 10/12/2007, -0/+0so that's what happens when you get taken over. I just dont care about anything so I use the same password for everything. That way if it get's taken over I'll just buy a new passport off craigslist and start all over again. Might even get a new birth certificate, just to make me feel younger.
  • magnum818, on 10/12/2007, -4/+4You can easy find out who a email address is linked to by using myspace or friendster.
  • PhantomBantam, on 10/12/2007, -1/+1I'm absolutely terrible with passwords, since most of them are completely the same. Gmail is the one site that I have a different password for. What makes it even worse is that I use the same username for everything as well.
  • RadiatedAnt, on 10/12/2007, -1/+1Yay! more spam!!
  • inactive, on 10/12/2007, -1/+1Email addresses you use on websites should not be considered secret or safe. Doesn't matter what website it is.
  • democracysucks, on 10/12/2007, -3/+2Anyone know how to delete a reddit account? I can't seem to find it anywhere, but that place is useless anymore.
  • inactive, on 10/12/2007, -2/+1Spammers 1
    Reddit 0
  • meldroc, on 10/12/2007, -4/+2Oh well. the password I had over there was already insecure, and my email address is already infested with spam.
  • inactive, on 10/12/2007, -4/+1Digg FTW!
  • inactive, on 10/12/2007, -13/+10Reddit is the best site in the world... but only if you're a liberal extremist who thinks he's a genius, and who likes to insult every other online community (especially Digg) for being too stupid for them and having awful content... only to then submit to Reddit yet another link to yet another picture of a zoomed-in snowflake.
  • uguysmakemesick, on 10/12/2007, -7/+1d'oh. and i just signed up for reddit a few weeks back. guess it's back to digg for me
  • gd007, on 10/12/2007, -17/+4i use digg, i fee safe!
  • armbar, on 10/12/2007, -16/+3I heard that Jesus uses Reddit!

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.