Reddit Breached After SMS 2FA Fail
Reddit has become one of the big tech names who admitted to a major data breach, attackers who compromised the staff accounts by intercepting SMS based two-factor authentication codes.
The CTO, Christopher Slowe, who explained in a long Reddit post that they have discovered the attack over a month ago, on June 19.
“We learned that between June 14 and June 18, an attacker compromised a few of our employees’ account with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA,” he said.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained the backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”
Craig Young, a security researcher at Tripwire, who argued over the incident which proves the fallibility of SMS-based verification tokens, which can be stolen via a variety of techniques.
“The most common technique is most likely use of smartphone malware which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity form the end-user but this seems less likely in such a targeted campaign,” he added.
“Another possibility is that the attacker exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM. An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollar of equipment.”
The Reddit’s attacker who have managed to access the two troves of data: an old back-up database from 2005-07 featuring “account credentials (username and slated hashed passwords), email addresses, and all content (mostly public, but also private messages)” and as well as email digest logs from between the June 3 and the June 17, 2018 which do contains the username and email.
The passwords for sure are same if they are in the form of salted and hashed as it would take a lot of time for an attacker to crack them, explained Koby Kilimnik, security researcher at Imperva.
“Notwithstanding that, I would still recommend changing your Reddit password, and if you don’t like spam emails, you might also want to start using a different email account, since those leaked emails will probably find their way into some spammer’s database,” he added.
“Another good idea is not to use the leaked password anywhere else. Although its’ hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future ‘credential stuffing attack’.”
The firm has claimed that they are now notifying all the users about the old data breach and also those who have been affected by the newer one too, check out your inbox for emails from firstname.lastname@example.org between June 3-17, 2018.
It’s been reported that this breach could be far greater than the first and this might also help the attackers to unmask their anonymous users by linking their pseudonym to their username and email address.
The platform has around 300 million users globally and also the US users who have the email digest function switched on by default, so the number could theoretically get around to 200 million.
As the European citizens’ data is presumably affected by the breach, and the incident which occurred in June, it’s likely that the GDRP regulators will of course get involved in it.