Reddit Breached After SMS 2FA Fail

Written by

Reddit has become the latest big-name tech firm to admit to a major data breach, after hackers compromised staff accounts by intercepting SMS-based two-factor authentication codes.

The firm’s CTO, Christopher Slowe, explained in a lengthy Reddit post that it discovered the attack over a month ago, on June 19.

“We learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” he said.

“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

Craig Young, security researcher at Tripwire, argued the incident proves the fallibility of SMS-based verification tokens, which can be stolen via a variety of techniques.

“The most common technique is most likely use of smartphone malware which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user but this seems less likely in such a targeted campaign,” he added.

“Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM.  An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars of equipment.”

Reddit’s attackers managed to access two troves of data: an old back-up database from 2005-07 featuring “account credentials (username salted hashed passwords), email addresses, and all content (mostly public, but also private messages)” and email digest logs from between June 3 and June 17, 2018 containing username and email.

The passwords are probably safe if they’ve been salted and hashed as it would take a significant amount of effort by the attackers to crack them, explained Koby Kilimnik, security researcher at Imperva.

“Notwithstanding that, I would still recommend changing your Reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database,” he added

“Another good idea is not to use the leaked password anywhere else. Although it’s hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future ‘credential stuffing attack’.”

The firm claimed it is notifying users about the older breach but has told users potentially affected by the newer one that they must proactively search their inbox for emails from between June 3-17, 2018.

It’s been reported that this trove could be far larger than the first and may help the attackers unmask anonymous users by linking their pseudonym to their username and email address.

The platform has over 300 million global users and US users have the email digest function switched on by default, so the number could theoretically top 200 million.

Because European citizens' data is presumably affected by the breach, and the incident occurred in June, it’s likely that GDPR regulators will get involved. There will be question marks for starters over the length of time it took to notify customers and the decision to force users to proactively check their emails to see if they were affected by the more recent breach.

What’s hot on Infosecurity Magazine?