Reddit announced today a security breach. The social platform says a hacker(s) breached the accounts of several employees after bypassing two-factor authentication (2FA) and stole information such as some email addresses, logs, and a 2007 database backup containing old salted and hashed password.
The hack took place between June 14 and June 18. Reddit said it discovered the breach the next day, on June 19.
Reddit said the hacker never got “write access” to its servers.
“They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the company said.
Hacker stole old passwords
But the hacker did get “read access,” which Reddit says he used to download a copy of an older Reddit site backup from May 2007.
Reddit said this backup contained data on its users who were active on the site from the site’s launch in 2005 until May 2007, the date of the backup.
“The most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then,” Reddit said.
Users who registered after May 2007 or messages and posts published after that date are deemed safe.
Hacker also stole more recent usernames and emails
Reddit also said the hacker downloaded some logs for Reddit’s email digest feature, and more precisely, for the email digests sent on June 3 and June 17, 2018.
“The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to,” Reddit said.
The social platform said that all users whose data the hacker had taken would be notified via a Reddit message. Users who still use their 2007 passwords will be prompted to change them.
Reddit also said the hacker accessed the company’s source code, internal files, configs, and employee work files.
Hacker bypassed 2FA
Reddit pinned the incident on the hacker’s ability to bypass 2FA. Reddit said the hacker performed an SMS intercept attack for the phone numbers of some of its employees and intercepted the 2FA codes necessary to access the employees’ accounts.
While Reddit didn’t say it, this also means hackers knew the employees’ account passwords, although, this was the main reason why two-step verification systems like 2FA were created, to begin with, to protect accounts against situations where a threat actor knows the password.
Reddit said it migrated employees from SMS-based 2FA to token-based 2FA and urged other companies and users to do the same. Other details are available in the Reddit site-wide announcement.
The US National Institute for Standards and Technology (NIST) has advised against using SMS-based 2FA, and academics have bypassed SMS-based 2FA for a few years now, but in recent weeks, SMS-based 2FA has been proven to be broken in the real world [1, 2]. Nevertheless, despite its problems, security researchers still recommend SMS-based 2FA over not using 2FA at all.
Do I think Reddit, a US based major social influence platform used by Presidents, should have used SMS 2FA for admin remote access? No. They were always going to get targeted by big sharks. Do I think a shoe retailer can protect Outlook Web App via SMS? Yes.
— kevin (@GossiTheDog) August 1, 2018