Reddit is the latest in technology world to confirm that it suffered a security breach. The social news aggregation platform confirmed yesterday that it suffered a security breach in June that exposed some of its internal systems to the attackers but did it not grant access to sensitive user data.
The most criticial and sensitive piece of news is not the breach but how it was accomplished by the attackers. Reddit says the attackers managed to penetrate into its systems by circumventing the two-factor authentication it had in place via SMS interception. The attack mechanism should serve as a wake up call to companies still relying on two-factor authentication via SMS for their security systems.
In a post, Reddit CTO Chris Slowe explained that they discovered the hack on June 19 and estimate it to have take place between June 14 and June 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers gaining read-only access to some systems that contained backup data, source code and other logs,” he wrote.
The breached access was gated behind two-factor authentication systems but it was of the type that occasionally or optionally allows SMS to be used instead of an authenticator app or token. It is a well-established truth that SMS has major security flaws and NIST declared it unacceptable for security in 2016. While SMS has been found as a vulnerable backup mechanism, the industry is far from eliminating it to authenticate users.
Most services still rely on SMS as the main or backup method for two-factor authentication systems. Reddit relies on token for two-factor authentication but at least one of its providers did not and the attackers took advantage of that security gap. In his post, Slowe notes that no phones were hacked, which means the SMS authentication codes may have been intercepted by the attackers, either by spoofing a phone or scamming the network of the provider.
Watch: Oppo Find X First Look
Reddit is yet to share the complete set of data accessed by the hackers but it says from users’ point of view, the attackers got a complete copy of Reddit data from 2007, which includes the first two years of site’s operations. The data includes usernames, salted/hashed passwords, emails, public posts and private messages.
Reddit has grown significantly when compared to its operations in 2007 and the data in the hands of attackers might only be useful for them to spam users. If you have not changed your Reddit password since 2007 then it is highly recommended that you do so right now. If you are one of the victims whose data was accessed then you will recieve an email or PM from the company.