On Wednesday Reddit reported that they were hacked and the attackers access an old database backup containing very early Reddit user data and logs containing the email digests they sent between June 3 and June 17, 2018. Here’s what they had to say:
“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.
.On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
Below is what security industry experts had to say about this incident.
Frederik Mennes, Senior Manager Market & Security Strategy, Security Competence Center, OneSpan
“In order to effectively deal with today’s cybersecurity threats, organizations should protect their accounts with strong, multi-factor authentication. Reddit did so, but unfortunately opted for a two-factor authentication technique with known security weaknesses, namely delivery of one-time codes via SMS. While it is not clear how the SMS codes were intercepted in case of Reddit, earlier cases have shown that interception is usually performed using malware on the mobile phone, or by exploiting weaknesses in the SS7 networking protocol. Organizations should select sound multi-factor authentication techniques whereby one-time codes are generated by the client-side device, such as a mobile phone or hardware token. We applaud Reddit’s effort to encourage customers to use token-based two-factor authentication.”
“SMS continues to plague enterprises that are solely reliant on the technology to solve their authentication needs. Even when combined with static passwords and PINs, SMS still offers a very low level of security..“Being able to perform a wide-scale SMS attack is hard, but if you are able to identify key individuals with privileged access, then these accounts become prime targets for attack..“In the wake of these privacy breaches, users should see the writing on the wall. They should move off of their SMS-based authentication systems and move on to more secure push-based or app-based mobile authentication technology. Enabling systems to understand the context of a login, and offering the correct form of authentication when it is needed, is an important objective to ensure users leverage more secure authentication technologies. If a context-aware orchestrated authentication system had been in place, perhaps the system would have noticed anomalies in the hackers’ login and could have correctly pushed for a stronger form of authentication in response to the strange logins. Correct authentication for the correct risk and fraud situation.”
Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team):
“This breach is particularly interesting because it is an example of SMS-based 2-factor authentication being used to compromise a major service provider. While SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service..“Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers. The most common technique is most likely use of smartphone malware, which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user, but this seems less likely in such a targeted campaign. Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol, which is at the heart of modern telephony routing, or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM. An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars’ worth of equipment..“The moral of this story is that SMS-based 2-factor authentication should not be considered “strong” in the face of a determined attacker.”
Koby Kilimnik, security researcher at Imperva:
“If all the passwords leaked were indeed hashed and also salted. it would take an attacker a lot more time to crack those passwords and render them usable since they need to find and compute each individual hash and can’t use a more efficient memory CPU tradeoff solution like rainbow tables. Notwithstanding that, I would still recommend changing your reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database.
.“Another good idea is not to use the leaked password anywhere else. Although its hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future “credential stuffing attack.”
Robert Capps, Vice President of Business Development, NuData Security, a Mastercard company:
“Fortunately, this Reddit breach doesn’t include credit card information. However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked. From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.
.“Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the steps Reddit is taking and letting its community know what they should watch for and do.”
Hed Kovetz Co-Founder & CEO | Silverfort www.silverfort.io:
“However, continued reliance on static information to authenticate a user will continue to expose companies to those breaches carried out through admin accounts. This is why many customer-facing organizations that transact online are adopting multi-layered technology solutions that incorporate passive biometrics and behavioral analytics technology. This technology helps make stolen data valueless by verifying users based on their inherent behavior instead of relying on their data.”
.“Implementing multi-factor authentication (MFA) on servers and applications is currently a difficult and resource-consuming task. As a result, many servers and applications continue to rely on basic authentication methods (such as passwords) or legacy MFA methods that were implemented in the past, even if they are now known to be vulnerable. This is the case with SMS-based MFA, which was proven unsafe because the SMS message can be easily intercepted by attackers, along with the one-time code. Mobile MFA apps are much more secure, because they communicate over TLS. They also provide a better user experience.
.“In addition, Organizations should look for MFA solutions that can be easily upgraded whenever a superior MFA method is introduced into the market, without having to re-integrate with each individual application.”