Reddit Breach Stems from SMS Two-Factor Authentication Breakdown

Reddit confirmed Wednesday that a hacker broke into its systems and has accessed user data – including email addresses and passwords for accounts.

The company said in a post today that the compromise occurred between June 14 and June 18, and it detected the incident on June 19.

“We learned that an attacker compromised a few of Reddit’s accounts with cloud and source-code hosting providers by intercepting SMS two-factor authentication (2FA) verification codes,” a Reddit spokesperson told Threatpost. “We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future.”

Those measures include guaranteeing that additional points of privileged access to Reddit’s systems are more secure, including requiring token-based two-factor authentication to gain entry.

The spokesperson did not say how many users were impacted, only stating that “a small number of users were affected and have been notified.”

“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope,” a spokesperson said. “We point this out to encourage everyone here to move to token-based 2FA.”

The bad actor was able to access all Reddit data from 2007 and before, including account credentials and email addresses, via a 2007 database backup containing old salted and hashed passwords.

The hacker also accessed logs containing email digests sent by Reddit between June 3 and June 17, 2018. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits.

The attacker did not gain write access to Reddit systems; however, they gained read-only access to some systems that contained backup data, source code and other logs. They also were not able to alter Reddit information. As the site explained, “we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”

The infosec community, for its part, took to Twitter to use the incident as a warning for others about the weaknesses surrounding SMS two-factor authentication, including security researcher Thomas Ptacek, who stressed “it doesn’t work.”

The company said that it is messaging users whose stolen credentials reflect the account’s current password; if users’ account credentials were affected and there’s a chance the credentials relate to the password they’re currently using on Reddit, they must immediate change their Reddit account password.