According to Reddit, the hack happened between June 14 and June 18, when a hacker compromised the accounts of several of its employees via SMS intercept as they were using SMS-based two-factor authentication (2FA). The hacker then managed to access old salted and hashed passwords from a 2007 database backup and the current email addresses of some Reddit users. Reddit has sent messages to all users whose email addresses and passwords have been compromised during the hack, urging them to update their credentials as soon as possible, especially if they’re using the same email address and password to log into other online services as those may be compromised too. Additionally, Reddit recommends all users to enable token-based 2FA now.