Reddit is one of the biggest sites on the internet, attracting hundreds of millions of users every month. Commonly called the front page of the internet, Reddit disclosed yesterday that it suffered a security breach.
Before you panic, the data that was nabbed mostly relates to a database backup from 2007. While it does contain usernames, email addresses and salted and hashed passwords, it only affects those who’ve been on the site since before May 2007. More interesting is how the breach happened, and it’s all got to do with SMS-based two-factor authentication.
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
The hacker intercepted the SMS that would be bound for an administrator, gaining access to Reddit’s servers – but without write access.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.”
Reddit urges those who’ve been on the site since before 2007 to change their passwords. Also accessed was a database of Email digests sent by Reddit in June 2018. It connects usernames to email addresses, and while not as serious, means you should probably change your passwords and enable non SMS-based two-factor authentication.
Last Updated: August 2, 2018