Reddit has announced it has been hacked – with some user data accessed.
The company posted a statement on its website, stating that a hacker broke into some of its systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.
A ‘painstaking investigation’ has been ongoing since, in a bid to figure out exactly what was accessed and to improve Reddit’s systems and processes to prevent this from happening again.
The statement said: “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”
Reddit said it is sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. Anyone who signed up for Reddit after 2007 is not affected.
Logs containing the email digests sent by the company between June 3 and June 17, 2018 were also accessed.
Reddit said it had reported the issue to law enforcement and is cooperating with the investigation. The company is also messaging user accounts if there is a chance the credentials taken reflect the account’s current password.
It has also taken measures to guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since it suspects weaknesses inherent to SMS-based 2FA to be the root cause of this incident.)
Industry experts have offered their comments on the breach.
Robert Capps, Vice President at NuData Security, a Mastercard company
Fortunately, this Reddit breach doesn’t include credit card information. However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked. From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.
Reddit is doing the right thing by immediately informing its global community of the extent of the damage, advising of the steps Reddit is taking and letting its community know what they should watch for and do.
However, continued reliance on static information to authenticate a user will continue to expose companies to those breaches carried out through admin accounts. This is why many customer-facing organisations that transact online are adopting multi-layered technology solutions that incorporate passive biometrics and behavioural analytics technology. This technology helps make stolen data valueless by verifying users based on their inherent behaviour instead of relying on their data.
Travis Biehn, Technical Strategist at Synopsys
The Reddit breach underscores how the application of best practices, like use of MFA, also need to be revisited over time as new attack techniques come to light.
You can look at the timeline for SMS hijacking techniques – the first practical attacks were presented a few years ago – and now these are being increasingly commoditised for a wide array of attackers.
Right now, the best users can do is rely on two factor authentication, which raises the cost for attackers, and use a password manager to reduce the risk of password re-use.
Attackers use this information in a few ways. First up, they’ll try account name and password pairs on other websites, exchanges, banks and so on. Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90% of original password values. In fact, around 60% of a corpus can be recovered in as little as three hours on less than US$10,000 worth of hardware.
Rashmi Knowles, Field CTO EMEA at RSA Security
Security has evolved since SMS authentication and organisations need to do the same. SMS is not true multi-factor authentication, as it is sent from a network to the phone, giving hackers an opportunity to intercept this message and hijack the user account.
Instead, it is vital that true multi-factor authentication is mandatory in a company’s security strategy. For example, proximity-based solutions or biometrics can provide a simple way for users to prove who they are, while also reducing the risk of a breach.
By putting another wall of defence up that can’t be mimicked, organisations can effectively manage their digital risk and keep user data secure.
Robb Reck, CISO at Ping Identity
SMS has been the most convenient two factor option and seen as ‘good enough’ by many companies. It’s especially convenient because you don’t need to use a dedicated token, nor install an application on your phone.
There are numerous examples of better types of MFA, including an installed application that will require interactive approval from a user (including requiring biometrics), a mobile one-time password, a physical U2F key, certificate based authentication, among others. The ideal situation is to use these various MFA factors in a risk-appropriate manner, using the higher assurance options (like interactive mobile app approval) for high risk activities and lower assurance options (like machine certificates) for low risk activities. These same assurance levels can be used to require higher levels of assurance when we see anomalous behaviour. If a user is signing in from a strange location, during off-hours, or to an application they seldom use, that might trigger the higher assurance MFA options.
This real-world example of a company seeing SMS MFA defeated will certainly help but it will not be enough in itself. We need to continue banging the gong on SMS as a weak MFA option and seek to replace it. The more we talk about it, the better the momentum will build.