Reddit Hack Exposes Two-Factor Authentication Weakness

Reddit, one of the largest sites on the Internet, revealed last week that employee accounts at the Internet giant were stolen. The accounts held at cloud and source code hosting providers were compromised, allowing hackers to gain access to systems that contained backup data, source code and log details were affected. The most worrying thing for many security experts is that the Reddit hack seems to indicate that the industry standard two-factor authentication approach in certain cases might not offer as much protection of vulnerable data as has long been thought.

Older accounts affected by Reddit hack

Reddit was at pains to explain that those users who registered and maintained accounts before 2007 would be affected. What may be worrying is that Reddit discovered the compromised accounts on June 19 – but has taken nearly a month to notify those who are affected.

The attacker also gained access to logs containing email digests sent between June 3 and June 17, 2018. Email digests are basic recaps of safe-for-work subreddits a given user subscribes to, but they can connect usernames to associated email addresses. Reddit further highlighted that credit card data was not affected.

“If you don’t have an email address associated with your account or your ’email digests’ user preference was unchecked during that period, you’re not affected,” said Reddit.

Two-factor authentication bypassed

User authentication using a multi-factor system has long been regarded as a solid defense against hackers. But there appears to have been a weakness as pointed out by Reddit in a post on their website – and this involved interception of SMS communication. However, reddit engineers did note that the site requires people to use TOTP (Time-based One-Time Password), because it was known that a two-step verification two-factor authentication (2FA) solution that relies on receiving authentication tokens via text message had issues.

“Already having our primary access points for code and infrastructure behind strong authentication requiring 2FA, we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” the post explained.

“…but there are situations where we couldn’t fully enforce this on some of our providers since there are additional ‘SMS reset’ channels that we can’t opt out of via account policy. We’ve since resolved this,” the engineer, who goes by KeyserSosa, explained.

Reddit has since committed to strengthening their approach to security. But they did reach out to users who were impacted by the incident. They noted that it was possible that user email addresses and in some cases, private messages were exposed. The backups also included old salted and hashed passwords.

Affected users of Reddit offered advice

Reddit is working closely with law enforcement to ensure that those responsible are brought to book. However, the company did offer some advice to those whose accounts may have been affected by the failure in two-factor authentication.

“If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today… And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams.”

Experts weigh in on two-factor authentication

Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team) was quick to explain just why the failure of two-factor authentication should be of great interest to security professionals.

“This breach is particularly interesting because it is an example of SMS-based two-factor authentication being used to compromise a major service provider. While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.”


Leave a Reply

Please Login to comment
1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Bella_muerte Recent comment authors
newest oldest most voted
Notify of

About a month ago I had a discussion on Reddit about 2 FA, such an irony, ha? Always thought it was insecure to use SMS as an OTP delivery method and I hope this situation will make the company and average users to learn to keep their data safe. I hate to say that but if they used at least Protectimus Slim tokens that are set up exactly like authentication apps, you can add a secret key to this token, that situation would never occur. I hope eventually everything will work out for the best with Reddit.

Enjoyed the article?

Get notified of new articles and relevant events.

Thank you for being a part of the CPO Magazine community.

Something went wrong.

Before you go ...

Let us notify you of new articles and relevant events.

Thank you for being a part of the CPO Magazine community.

Something went wrong.

Follow CPO Magazine