The company has learned the hard way that there
are better ways to deliver two-factor authentication than via text messages
Reddit has announced that a hacker has broken
into some of its systems and accessed some user data, including an old database
backup copy containing user credentials, email addresses, and messages.
Additionally, the breach affected the usernames and associated email addresses
of “redditors” who received email digests this past June, according to an announcement by the site’s chief technology officer
Christopher Slowe.
The incident took place between June 14-18,
with the company learning about it on June 19. “Since then we’ve been
conducting a painstaking investigation to figure out just what was accessed,
and to improve our systems and processes to prevent this from happening again,”
said Slowe.
So what exactly was compromised? For one
thing, a database backup containing cryptographically salted and hashed
password data from the period between the site’s launch in 2005 and May 2007.
Also accessed were user names, associated email addresses, and all of the
users’ messages, including private ones, up until May 2007. To be sure, the
site was a much, much smaller place back then.
In its response to the breach, Reddit is
resetting the passwords on the accounts of users who it believes may have been
affected. Needless to say, people who still use the same password elsewhere should change their
credentials on the other sites, too.
Additionally, the hack also compromised email
digests that the site sent out to users between June 3-17 of this year. These
digests connect a user name to the corresponding email address, thus
potentially exposing the users’ anonymity, while also containing suggested
posts from selected subreddits to which the users subscribe.
SMS 2FA hardly a hurdle
One thing that stands out in this incident is
that the attacker broke into the cloud hosting and source-code repository
accounts of several Reddit employees despite the fact that they use SMS-based
two-factor authentication (2FA).
“Already having our primary access points for
code and infrastructure behind strong authentication requiring two factor
authentication (2FA), we learned that SMS-based authentication is not nearly as
secure as we would hope, and the main attack was via SMS intercept. We point
this out to encourage everyone here to move to token-based 2FA,” wrote Slowe.
Security professionals have, in fact, advised
against using text messages as the second factor due to their susceptibility to
various threats. Hardware tokens and authenticator apps are more secure alternatives.
The site found solace in the fact that “the
attacker did not gain write access to Reddit systems”. “[T]hey gained read-only
access to some systems that contained backup data, source code and other logs.
They were not able to alter Reddit information, and we have taken steps since
the event to further lock down and rotate all production secrets and API keys,
and to enhance our logging and monitoring systems,” said the site.