According to reddit, the attack happened between June 14 and June 18. The cybercriminals apparently managed to compromise some of the employees’ accounts and gain access to some of the systems that contained backup data, source code, and some logs. While reddit admits that it was a serious attack, they also point out that it could have been far worse if the user would have gained access to other systems.
Reddit itself lists the stolen data as following:
In case your account information might have been compromised by the attack, reddit will send you an email with further information. Also: if you have an old account and have a) never changed the password and/or b) have other accounts that use the same one, now might be a good time to change it.
Now before you are thinking that it’s yet another company whose employees did not care for security you are mistaken. Apparently, the targets even used a kind of two-factor authentication – it just was the least secure one, the SMS-based version. While still better than nothing it is way too easy to intercept the messages. The US National Institute for Standards and Technology even advised against using it some years ago.
Nonetheless and just to make a point: Before you use no 2FA, please use the SMS one. If you have the choice though, opt for a token based or similar system.