Cyberattack Compromised Reddit Database

According to a recent report, Reddit has informed its users that a hacker compromised some of its systems and accessed user data stored on a 2007 database that contained usernames, passwords and posts. The report states that the information was hashed for protection and that the company is in the process of informing users that joined in 2007 or earlier.

According to The Verge, in June 2018, the hacker compromised several employee accounts through a cloud provider by intercepting SMS verification. The report states that the intruder was able to see messages posted from 2005 – 2007, backup data, source code and other employee logs. It states that the hacker was also able to read email digests Reddit sent in June 2018 and users’ email addresses and subreddits.

In addition to changing passwords, Reddit is encouraging users to take additional authentication steps. The reports states that Reddit contacted law enforcement and is cooperating with the investigation.

The FTC is the nation’s primary privacy and data security enforcer, and FTC data privacy and defense lawyer Richard B. Newman reports that the agency has steadily been increasing its data privacy investigation and enforcement efforts in recent years. The Commission uses various tools to protect consumers’ privacy and personal information including bringing enforcement actions and requiring companies to take affirmative steps to remediate unlawful behavior. The Commission also issues reports, conducts research and holds events to critically examine emerging privacy and data security issues.

The FTC has had a particular focus in 2018 upon children’s privacy and security. For example, a connected toy maker recently agreed to pay $650,000 to settle allegations that it violated the Children’s Online Privacy Protection Act by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected.

FTC civil investigative demands (CIDs) often follow publicly reported privacy and data security incidents. As part of the investigatory process, the agency consistently seeks to enforce privacy promises that companies make to consumers. For example, when companies represent that they will safeguard their personal information, the FTC will not hesitate to initiate an enforcement action pursuant to Section 5 of the FTC Act if such promises are not adhered to or are otherwise deceptive.

Companies should build reasonable privacy protections and safeguards into each element of its business. The majority of the FTC’s privacy and data security cases involve the “deception” prong of Section 5. Some data breach cases include allegations of unfairness under the Act, as well. This second prong has been the subject of significant recent controversy.

The Federal Trade Commission investigates and prosecutes privacy and data security violations pursuant to other laws and rules, including, but not limited to, the Fair Credit Reporting Act, the Graham-Leach-Bliley Act, and the Telemarketing and Consumer Fraud and Abuse Act.

Richard B. Newman is an FTC advertising compliance and privacy attorney at Hinch Newman LLP.

Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.

Advertising Material