3.8.18

Reddit reveals breach as attacker circumvents staff’s 2FA



The company has learned the hard way that there are better ways to deliver two-factor authentication than via text messages
Reddit has announced that a hacker has broken into some of its systems and accessed some user data, including an old database backup copy containing user credentials, email addresses, and messages. Additionally, the breach affected the usernames and associated email addresses of “redditors” who received email digests this past June, according to an announcement by the site’s chief technology officer Christopher Slowe.
The incident took place between June 14-18, with the company learning about it on June 19. “Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again,” said Slowe.
So what exactly was compromised? For one thing, a database backup containing cryptographically salted and hashed password data from the period between the site’s launch in 2005 and May 2007. Also accessed were user names, associated email addresses, and all of the users’ messages, including private ones, up until May 2007. To be sure, the site was a much, much smaller place back then.
In its response to the breach, Reddit is resetting the passwords on the accounts of users who it believes may have been affected. Needless to say, people who still use the same password elsewhere should change their credentials on the other sites, too.
Additionally, the hack also compromised email digests that the site sent out to users between June 3-17 of this year. These digests connect a user name to the corresponding email address, thus potentially exposing the users’ anonymity, while also containing suggested posts from selected subreddits to which the users subscribe.
SMS 2FA hardly a hurdle
One thing that stands out in this incident is that the attacker broke into the cloud hosting and source-code repository accounts of several Reddit employees despite the fact that they use SMS-based two-factor authentication (2FA).
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” wrote Slowe.
Security professionals have, in fact, advised against using text messages as the second factor due to their susceptibility to various threats. Hardware tokens and authenticator apps are more secure alternatives.
The site found solace in the fact that “the attacker did not gain write access to Reddit systems”. “[T]hey gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” said the site.