2FA SNAFU led to Reddit security breach in which user data was stolen
Reddit has revealed details of a security breach that enabled a hacker to gain access to private messages, usernames and encrypted passwords. The self-proclaimed "front page of the internet" is undertaking an investigation and taking steps to improve security.
The attack took place between June 14 and June 18 this year, and the perpetrator was able to access "all Reddit data from 2007 and before including account credentials and email addresses", the site said in an announcement. The breach was made possible after the attacker beat SMS-based two-factor authentication and compromised several employee accounts.
- Hacked: Timehop database breach exposed details of 21 million users
- Gentoo Linux Github Organization repo hack was down to a series of security mistakes
- aLTEr: Hackers can spy on your 4G browsing sessions thanks to LTE flaws
Revealing details of the security incident in a post on the site, the Reddit team says that "old salted and hashed passwords" were accessed in a 2007 database backup. Some current email addresses were also affected.
The team goes on to explain a little about what happened a few weeks ago:
On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees' accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.
Also accessed were email digests sent out in the first half of June this year, and it is because of this that many currently-used email addresses may have been accessed. Reddit says that you should check your inbox to see if you have emails from email@example.com -- if you do, your email address and username could well be known by the attacker.
In response to the attack, Reddit says that it has reported the matter to law enforcement and that an investigation is underway. If there is concern about individual user accounts' passwords being compromised -- or easily determined -- the site is contacting users directly. A more secure 2FA system has also been put in place.
In conclusion, Reddit says the following to its users:
First, check whether your data was included in either of the categories called out above by following the instructions there.
If your account credentials were affected and there's a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
If your email address was affected, think about whether there's anything on your Reddit account that you wouldn't want associated back to that address. You can find instructions on how to remove information from your account on this help page.
And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams.