Hackers break into Reddit's systems

Hackers break into Reddit's systems

SMS-based authentication not nearly as secure as it thought

Global online forum Reddit has revealed a hacker broke into a few of its systems accessing user data between 14-18 June.

According to an announcement issued on 2 August, current email addresses and a 2007 database back-up containing old salted and hashed passwords have been accessed.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” according to Reddit.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.

"We point this out to encourage everyone here to move to token-based 2FA."

According to Webroot senior threat research analyst Tyler Moffitt, the phone number is the weakest link in this type of attack.

"Cyber criminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication," Moffitt said.

"For example, a cybercriminal would simply need to give a wireless provider an address, last four digits of a social security number, and perhaps a credit card to transfer a phone number.

"This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax."

Read more: The Social Networking Compendium – Part 6 (Social Bookmarking)

Reddit said that the hacker did not gain write access to its systems only read-only access to some systems that contained back-up data, source code and other logs.

A complete copy of an old database backup containing early Reddit user data -- from the site’s launch in 2005 through May 2007 was accessed.

According to Reddit the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

Also accessed were logs containing the email digests Reddit sent between 3-17 June 2018. 

Reddit logs (source: Reddit)Credit: IDG
Reddit logs (source: Reddit)

The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work sub-reddit's users subscribe to. 

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data,” it said.

Reddit has reported the issue to law enforcement, it is letting users know and is taking measures to guarantee that additional points of privileged access to Reddit’s systems are more secure.

Read more: Hacked: it could happen you

Tags reddithacked

Show Comments