igor - Fotolia
New aggregation service Reddit has admitted some of its systems were breached containing user data after employee accounts with Reddit’s cloud and source code hosting providers were compromised, despite the company’s use of two-factor authentication (2FA).
While 2FA is widely recommended in addition to passwords as a way of improving the security of accounts, Reddit used mobile text (SMS)-based 2FA, which is known to be flawed.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said in a statement.
“We point this out to encourage everyone here to move to token-based 2FA,” the company added.
This led to the exposure of Reddit users’ current email addresses and a 2007 database backup containing old salted and hashed passwords between 14 and 18 June, the company said.
The cyber intruder is also believed to have accessed email digests that were sent between 3 June and 17 June, which included usernames and their associated email address as well as Reddit-suggested posts.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” Reddit said.
As a result of the breach, Reddit said it has carried out a “painstaking investigation” to ascertain what data was exposed and to improve its systems and processes.
Reddit said it has also reported the issue to law enforcement and is cooperating with their investigation, sent alerts to account holders if there’s a chance the credentials taken reflect the account’s current password, and taken measures to guarantee that additional points of privileged access to Reddit’s systems are more secure, including enhanced logging, more encryption and requiring token-based 2FA to gain entry.
Reddit has advised users whose account credentials were affected to reset their Reddit account password and to be alert for potential phishing scams.
“A strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users,” the company said.
Some security commentators said the breach shows that 2FA that uses SMS or phone calls to send users a one-time passcode (OTP) is only slightly better than no 2FA at all.
2FA that uses of a cryptographic token sent by a security key attached to a device logging in is considered to be more secure because it is not vulnerable to interception like the mobile-based version.
Phone-based OTPs have been shown to be susceptible to a range of interception methods, including mobile phone number hijacking, mobile account hijacking and exploiting weaknesses in the SS7 routing protocol that carriers around the world use to ensure their networks interoperate.
Hashed and salted passwords
Koby Kilimnik, security researcher at Imperva, said that if all the passwords leaked were indeed hashed and also salted, it would take an attacker a lot more time to crack those passwords and render them usable since they need to find and compute each individual hash.
“Notwithstanding, I would still recommend changing your Reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database,” he said.
Craig Young, security researcher at Tripwire, said that while SMS interception has been a common trick in opportunistic financial fraud, it is far less common to hear about this method being used in this type of targeted attack of a public service.
“Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS based verification tokens can be stolen with a variety of well-known techniques,” he said.
According to Young, the atttackers possibly exploited well-known weaknesses in the Signaling System 7 (SS7) protocol at the heart of modern telephony routing.
“Or they could have simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM,” he said. “An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars of equipment.
“The moral of this story is that SMS based 2-factor authentication should not be considered ‘strong’ in the face of a determined attacker.”