Reddit suffers data breach despite using SMS-based 2FA
Popular social news aggregation and discussion website Reddit has suffered a breach. The attacker broke into some of its systems and got access to some user data, but did not manage to modify any of the site’s content.
About the breach
According to the statement published by Reddit CTO Christopher Slowe (“KeyserSosa”), the breach happened sometime between June 14 and June 18 and they discovered it on June 19.
He said that the attacker compromised a few of their employees’ accounts with their cloud and source code hosting providers, despite them having two factor authentication (2FA) set up for additional protection.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” he shared.
He did not say how the employees’ passwords were compromised, nor how the attacker was able to intercept the SMSes with the additional authentication factor.
What was compromised?
It took Reddit over a month to come forward with the confirmation of the breach, so it’s likely that they now have a pretty good idea of what went on.
According to Slowe, the attacker accessed an old database backup containing Reddit user data, but only those that signed up from the site’s launch in 2005 through May 2007.
“In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then,” he explained.
The attacker also managed to get access to logs containing the email digests they sent between June 3 and June 17, 2018, which “connect a username to the associated email address” and contain suggested posts from subreddits users subscribe to.
Users whose data was accessed will be notified directly and are advised to change their password and additionally secure their accounts with 2-factor authentication.
“Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today,” he advised.
If the passwords haven’t been properly salted (unique salt for each password), the attacker might recover some of them relatively quickly and might try to use the compromised account name and password pairs on other websites.
Reddit users might believe they are relatively anonymous as they need to provide only a username and email address to sign up for an account, but Slowe advised users affected by the breach to think about whether there’s anything on their Reddit account that they wouldn’t want associated back to that address.
If there is, they might want to remove that information (posts, drafts, comments, private messages, chat messages) from the account.
Finally, he shared that they are taking measures to guarantee that additional points of privileged access to Reddit’s systems are more secure, and that the company hired their first Head of Security two and a half months ago.
“Network intrusions like this are inevitable. The Reddit issue reinforces again that being breached is not a question of ‘if’ but ‘when’ and a multi-layered approach to security is needed,” Jason Hart, VP and CTO at Gemalto, commented for Help Net Security.
“Given today’s security climate, all online companies should use the forms of multi-factor authentication that are appropriate for the data assets being accessed as well as using encryption and key management to secure sensitive data.”
Ambuj Kumar, CEO of Fortanix, noted that malicious actors can intercept text messages using fake base stations or subscriber hijacking attacks, yet many banks and service providers continue to use SMS-based authentication.
“In the Digital Identity Guidelines published by NIST last year, SMS-based authentication is considered risky and its use is restricted. While two-factor authentication can help a lot, it has to be the right kind of two-factor.”