Reddit hack highlights vulnerability of two-factor authentication

Security experts criticise Reddit for putting onus on the users

Reddit has disclosed a data breach from June, in which an attacker leveraged a weakness in the SMS-based two-factor authentication methods the site used to gain read-only access to systems and user information.

In a public post, Reddit explained that the hacker broke in between the 14th and 18th of June, compromising employee accounts with cloud and source code hosting providers. S/he was able to view systems containing backup data, source code and other logs, as well as email addresses and hashed passwords for all Reddit users who registered accounts on the site prior to May 2007.

In addition, the attacker was able to view the usernames and email addresses of users who had signed up to receive daily email digests of some discussion threads.

Reddit has informed law enforcement and is also messaging some of the affected users (see below). The site says that it is also moving to token-based two-factor authentication, as it suspects the SMS-based system to be the root cause of the problem.

What actually happened?

The hacker appears to have been able to compromise the two-factor authentication method that Reddit was using to protect employees' accounts by intercepting the SMS messages containing log-in codes.

‘Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.'

Reddit didn't explain how the SMS codes were stolen, although did confirm that its employees' phones weren't compromised. There are, however, other methods including a SIM swap (convincing the target's telco operator to tie the victim's services to a new SIM card); and mobile number port-out scams (transferring the victim's number to another mobile network provider).

Rashmi Knowles, field CTO EMEA at RSA Security, said:

"Security has evolved since SMS authentication, and organisations need to do the same. SMS is not true multi-factor authentication, as it is sent from a network to the phone, giving hackers an opportunity to intercept this message and hijack the user account. Instead, it is vital that true multi-factor authentication is mandatory in a company's security strategy. For example, proximity-based solutions or biometrics can provide a simple way for users to prove who they are, while also reducing the risk of a breach. By putting another wall of defence up that can't be mimicked, organisations can effectively manage their digital risk and keep user data secure."

‘Trust is flagging'

Reddit is getting in touch with users whose historic data -dating from before 2007 - was taken, but won't be informing those who have been affected by the larger data breach, i.e. current usernames and email addresses.

Instead, the site has told users to look through their Reddit inboxes to see if they received a digest email between the 3rd and 17th of June this year - the period of time that the hacker(s) was able to view.

Security experts have been damning in their criticism. Stephen Walsh, senior director of security at CA Technologies, said:

"It is unsurprising that the 2018 Digital Trust Index found consumer trust in the ability or desire of organisations to fully protect user data flagging when companies, like Reddit, do not seek to address all those users whose personally identifiable information is exposed in a data breach…

"Companies must meet their responsibilities on data stewardship or risk serious ramifications - not just in losing trust of customers, but in facing potential regulatory penalties, such as under the GDPR."

Security researcher Troy Hunt told the BBC, "This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?

"In the case where it's mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually."