Reddit, one of the largest sites on the Internet, revealed last week that employee accounts at the Internet giant were stolen. The accounts held at cloud and source code hosting providers were compromised, allowing hackers to gain access to systems that contained backup data, source code and log details were affected. The most worrying thing for many security experts is that the Reddit hack seems to indicate that the industry standard two-factor authentication approach in certain cases might not offer as much protection of vulnerable data as has long been thought.
Older accounts affected by Reddit hack
Reddit was at pains to explain that those users who registered and maintained accounts before 2007 would be affected. What may be worrying is that Reddit discovered the compromised accounts on June 19 – but has taken nearly a month to notify those who are affected.
The attacker also gained access to logs containing email digests sent between June 3 and June 17, 2018. Email digests are basic recaps of safe-for-work subreddits a given user subscribes to, but they can connect usernames to associated email addresses. Reddit further highlighted that credit card data was not affected.
“If you don’t have an email address associated with your account or your ’email digests’ user preference was unchecked during that period, you’re not affected,” said Reddit.
Two-factor authentication bypassed
User authentication using a multi-factor system has long been regarded as a solid defense against hackers. But there appears to have been a weakness as pointed out by Reddit in a post on their website – and this involved interception of SMS communication. However, reddit engineers did note that the site requires people to use TOTP (Time-based One-Time Password), because it was known that a two-step verification two-factor authentication (2FA) solution that relies on receiving authentication tokens via text message had issues.
“Already having our primary access points for code and infrastructure behind strong authentication requiring 2FA, we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” the post explained.
“…but there are situations where we couldn’t fully enforce this on some of our providers since there are additional ‘SMS reset’ channels that we can’t opt out of via account policy. We’ve since resolved this,” the engineer, who goes by KeyserSosa, explained.
Reddit has since committed to strengthening their approach to security. But they did reach out to users who were impacted by the incident. They noted that it was possible that user email addresses and in some cases, private messages were exposed. The backups also included old salted and hashed passwords.
Affected users of Reddit offered advice
Reddit is working closely with law enforcement to ensure that those responsible are brought to book. However, the company did offer some advice to those whose accounts may have been affected by the failure in two-factor authentication.
“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today… And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams.”
Experts weigh in on two-factor authentication
Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team) was quick to explain just why the failure of two-factor authentication should be of great interest to security professionals.
“This breach is particularly interesting because it is an example of SMS-based two-factor authentication being used to compromise a major service provider. While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.”