User data and private messages exposed in Reddit breach
Reddit, one of the world’s most popular websites and the self-proclaimed “front page of the internet,” was hacked in June, exposing some user data, internal logs, source code and other files, according to a post published to the platform Wednesday.
Chief Technology Officer Christopher Slowe wrote on Reddit’s front page that an attacker compromised the accounts of several employees between June 14 and June 18 using an SMS intercept. The technique involves intercepting the two-factor authentication code that a website or app texts to a user when that person is logging on.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope,” read the post from Slowe, who goes by the username u/KeyserSosa. “We point this out to encourage everyone here to move to token-based 2FA.”
With SMS codes and passwords in hand, the hackers were able to get access to two important areas of user data contained in backup files. One was all Reddit data from the site’s launch in 2005 up to May 2007.
According to Slowe’s post, the most significant data in the backup was account credentials, meaning usernames and their corresponding salted and hashed passwords, email addresses and all content including private messages.
Also compromised were logs containing email digests sent by Reddit to users between June 3 and June 17, 2018. The digests connected Reddit usernames to emails, and showed suggested content from specific forums within the site — also known as subreddits — that the users subscribed to.
The attacker also gained read-only access to some systems that “contained backup data, source code, and other logs.” They were unable to alter any information on the site itself, which is a vast collection of forums that allows users to upload content based on their interests and rate what is uploaded using a voting system. Currently, it is the fifth-most popular website in the United States, and 17th most popular globally.
Since the attack, Reddit says it has been cooperating with law enforcement officials and their investigation, has notified users who may have been affected and heightened security through enhanced logging, more encryption and requiring token-based two factor authentication. Token-based 2FA typically means requiring users to have a piece of hardware, like a physical security key, that they must present as part of the login process.
Reddit is the latest organization to fall victim to a SMS-intercept based attack, but the vulnerability is nothing new. In 2014, cybersecurity experts began warning the public that weaknesses in SS7, a widely-used communications protocol, could allow hackers to intercept and read SMS messages.
And in December 2016, the National Institute of Standards and Technology urged government agencies to move away from SMS authentication, citing security concerns.