Reddit suffers data breach despite using SMS-based 2FA

3 Mins read

Popular social news aggregation and discussion internet site Reddit has suffered a breach. The attacker broke into a number of its structures and got access to a few user records. However, they did now not manipulate to modify any of the site’s content material.

Reddit breach

About the breach
According to the announcement posted through Reddit CTO Christopher Slowe (“KeyserSosa”), the breach came about sometime between June 14 and June 18, and they located it on June 19.


He said that the attacker compromised some of their employees’ debts with their cloud and supply code website hosting companies, regardless of having thing authentication (2FA) set up for additional safety.

“We learned that SMS-primarily based authentication is not nearly as at ease as we’d wish, and the principle assault become through SMS intercept,” he shared.

He did no longer say how the personnel’s passwords had been compromised, nor how the attacker could intercept the SMSes with the extra authentication component.

What becomes compromised?
It took Reddit over a month to come back ahead with the confirmation of the breach, so it’s probable that they now have a quite good idea of what went on.

According to Slowe, the attacker accessed a vintage database backup containing Reddit person data, but only those who signed up from the website’s release in 2005 via May 2007.

“In Reddit’s first years, it had many fewer functions, so the most massive information contained on this backup are account credentials (username + salted hashed passwords), electronic mail addresses, and all content material (mostly public, however additionally private messages) from way again then,” he defined.

The attacker additionally controlled to get right of entry to logs containing the email digests they despatched between June 3 and June 17, 2018, which “connect a username to the related electronic mail deal with” and incorporate advised posts from subreddits users enroll in.

What now?
Users whose records changed into accessed can be notified directly and advised to change their password and comfortable their bills with 2-thing authentication.

“Whether or now not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit eleven years in the past on other sites nowadays,” he cautioned.

If the passwords haven’t been properly salted (particular salt for every password), the attacker would possibly recover some of them highly fast and can try to use the compromised account call and password pairs on different websites.

Reddit users would possibly accept as true with they may be fairly nameless as they want to provide most effective a username and email address to join an account. However, Slowe advised customers affected by the breach to consider whether there’s something on their Reddit account that they wouldn’t want to associate lower back to that cope with.

If there is, they could want to put off the account’s information (posts, drafts, feedback, non-public messages, chat messages).

Finally, he shared that they’re taking measures to guarantee that additional factors of privileged get right of entry to Reddit’s structures are greater relaxed. The organization hired their first Head of Security and a half of months in the past.

Avoidable mistake
“Network intrusions like this are inevitable. The Reddit trouble reinforces once more that being breached isn’t always a query of ‘if’ but ‘while’ and a multi-layered technique to security is needed,” Jason Hart, VP and CTO at Gemalto commented for Help Net Security.

“Given these days’ safety weather, all online agencies need to use the styles of multi-factor authentication which can be appropriate for the facts assets being accessed as well as the usage of encryption and key control to comfy touchy information.”

Ambuj Kumar, CEO of Fortanix, mentioned that malicious actors could intercept textual content messages using fake base stations or subscriber hijacking attacks. Yet, many banks and carrier carriers hold to use SMS-primarily based authentication.

“In the Digital Identity Guidelines posted through NIST final year, SMS-primarily based authentication is taken into consideration risky, and its use is limited. While -aspect authentication can help plenty, it has to be the proper kind of -component.”

687 posts

About author
Introvert. Incurable tv guru. Internet lover. Twitter trailblazer. Infuriatingly humble communicator. Spent a weekend creating marketing channels for cod in New York, NY. Spent the 80's writing about fried chicken in Pensacola, FL. In 2009 I was investing in sock monkeys in the government sector. Spent high school summers exporting cannibalism in Deltona, FL. A real dynamo when it comes to donating Roombas in Miami, FL. Spent 2001-2005 supervising the production of acne for no pay.
Related posts

Facebook CSO Alex Stamos leaves to join Stanford Uni

2 Mins read
Facebook Chief Security Officer Alex Stamos has introduced that he’s leaving the organization on August 17 and will be joining Stanford University…

HP plugs critical RCE flaws in InkJet printers

1 Mins read
HP has plugged important vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting many of its InkJet printers and is urging customers to put in force the…

Qualys at Black Hat USA 2018: Hear best practices from industry leaders

7 Mins read
There might be no lack of interesting content from Qualys at Black Hat USA 2018 this yr. Depending on your interests, you…