Reddit discloses hack, says SMS intercept allowed attackers to skirt 2FA protections

Reddit hack exposed logs, source code, and user data from 2005-2007 in some cases.

vulnerable virus breach hacked cyber attack
Thinkstock

Reddit, one of the largest websites on the internet, announced on Wednesday that someone was able to compromise staff accounts at their cloud and source code hosting providers, leaving backups, source code, and various logs exposed.

As a result, they are notifying some users who maintained accounts on the website prior to 2007, as their accounts were impacted.

In a post on the website, one of Reddit's founding engineers said the incident was discovered on June 19.

Sometime between June 14th and 18th, the attackers were able to compromise staffer accounts on unnamed cloud and source code hosting providers, bypassing what was assumed to be solid defenses using multi-factor authentication (2FA).

"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA," the post explained.

As a rule, the engineer said, Reddit required people to use TOTP (Time-based One-Time Password), because it was known that text-based 2FA had issues.

"...but there are situations where we couldn't fully enforce this on some of our providers since there are additional "SMS reset" channels that we can't opt out of via account policy. We've since resolved this," the engineer, who goes by KeyserSosa, explained.

The attackers were able to gain read-only access to backup data, source code, and various logs, but were unable to alter any other Reddit information.

Reddit has since strengthened their security posture, but they're reaching out to users who were impacted by the incident as their email addresses and in some cases private messages were exposed. The backups also included old salted and hashed passwords.

The backups accessed by the attackers contained a complete copy of an old database, housing Reddit data from 2005 until 2007. Thus, it is important to note that anyone who created a Reddit account after 2007 was not impacted by this aspect of the incident.

However, the attacker also gained access to logs containing email digests sent between June 2 and June 17, 2018. The digest emails are basic recaps of safe-for-work subreddits a given user subscribes to, but they can connect an email address to a username.

"If you don’t have an email address associated with your account or your 'email digests' user preference was unchecked during that period, you’re not affected," the post said.

As mentioned, Reddit is reaching out to those impacted directly, and they're working with law enforcement on the matter. But the disclosure post did offer some final advice.

"If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today… And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams."

SUBSCRIBE! Get the best of CSO delivered to your email inbox.