Company is now moving to token-based 2FA
Reddit was hacked over a month ago, but it has only now told its users that they need to change their passwords on the site.
The breach happened between June 14 and 18 according to an announcement made by co-founder Christopher Slowe on the website. Reddit found out on June 19.
Mr Slowe went on to state that: “The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information.”
However, he does note that they gained access to an old database backup which contained Reddit user data from the sites foundation in 2005 up to May of 2007.
This database held sensitive user data such as account credentials, email addresses and all users messages sent on the platform at that time, including private messages.
All Your Base Are Belong To Us
The hacker gained access to Reddit’s systems via an SMS intercept.
Chritopher Slowe notes how the Reddit team have learnt the hard way that: “SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
Tyler Moffit, Senior Threat Research Analyst at Webroot told us in an emailed statement that: “While Reddit’s use of SMS-based authentication is popular and much more secure than password alone, it’s widely known to be vulnerable to cybercriminals who have hacked many celebrities using this method.”
“In this type of attack, the phone number is the weakest link. Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication.”
“For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax,” he notes.
Reddit have announced that they are sending messages to any user who has been affected by the data breach.
In their announcement to the community they state that they will be improving security by enhancing logging, adding more encryption and from now on they will change to a token-based two factor verification process.
The user data that was accessed had been hashed and salted, hashing is a mathematical operation which turns data into a scrambled cipher, salting is the addition of random data to a password to obfuscate everything a bit more.
Stephen Walsh, Sr Director of security at CA Technologies told us in an emailed statement that: “90 percent of organisations claim that they are very good at protecting consumer data, despite the fact that nearly half of business executives admitted that their company has been involved in a publicly disclosed consumer data breach in the last year.”
However, since the hack is pertaining to user data from ten years ago, it is quite possible that the hackers can decode any information they have obtained.
Joseph Carson, Chief Security Scientist at Thycotic commented in an emailed statement that: “The hack at Reddit is a reminder that when protecting sensitive data by choosing 2FA in addition to a password, it is important to know that not all 2FA offers the same security; for example, the difference between using SMS-based authentication and token based authentication.”
“I am concerned that Reddit seems to be playing down the data breach as it was ‘only read access to sensitive data and not write’; this is positive news, however, it does not reduce the severity of the breach when it relates to sensitive data,” he added.
Rashmi Knowles, Field CTO EMEA at RSA Security told Computer Business Review: “It is vital that true multi-factor authentication is mandatory in a company’s security strategy. For example, proximity-based solutions or biometrics can provide a simple way for users to prove who they are, while also reducing the risk of a breach. By putting another wall of defence up that can’t be mimicked, organisations can effectively manage their digital risk and keep user data secure.”