Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Attackers steal password data, user messages, email addresses, and more.

Enlarge (credit: Misaochan)

A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.

In a post published Wednesday, Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.

Wednesday’s post said that the breached employee accounts were protected by 2FA, which typically requires people to take an extra step beyond entering a password when accessing an account from a new computer. In most cases, the extra step is the entering of a one-time password (OTP) that’s sent to or generated by a mobile phone. More secure yet, the 2FA is in the form of a cryptographic token sent by a security key attached to a device logging in. The 2FA protecting the Reddit accounts, however, relied on OTPs sent through SMS messages, despite reports over the years (such as this one) that make it amply clear they are susceptible to interception.

Read 5 remaining paragraphs | Comments

Reddit breach exposes non-critical user data

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method.

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method.

A post by Reddit CTO Chris Slowe (as KeyserSosa, naturally) explained that they discovered the hack on June 19, and estimated it to have taken place between June 14 and 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” he wrote, gaining “read-only access to some systems that contained backup data, source code and other logs.”

Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to be used instead of an authenticator app or token. SMS has some major inherent security flaws, and this method was declared unacceptable by NIST back in 2016. But it is far from eliminated and many services still use it as a main or backup 2FA method.

Reddit itself, it is worth noting, only provides 2FA via token. But at least one provider of theirs didn’t, it turns out, and the attackers took advantage of that. (Slowe said they know no phones were hacked, which suggests the SMS authentication codes were intercepted otherwise, possibly via spoofing a phone or scamming the provider.)

Although a complete inventory of what was accessed by the hackers isn’t made available, Slowe said that there were two main areas of concern as far as users were concerned:

  • A complete copy of Reddit data from 2007, comprising the first two years of the site’s operations. This includes usernames, salted/hashed passwords, emails, public posts, and private messages.
  • June’s email digests, with usernames and associated emails.

Reddit is a different and much, much bigger place today than it was in 2007; anyone who remembers the big migration from Digg in those days will also remember how small and limited it was.

Still, these data together could still be useful to malicious actors looking to scam people on this list — if I were them, I’d be sending fake email digests asking them to log in, or building a list of username-email pairs and matching those to other sites. And of course you might want to, as Slowe put it, “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”

If you’re one of the people affected, you should be receiving an email or PM that should inform you of your risk — for example, if your password hasn’t been changed since 2007, which would be its own security risk. I joined in July 2007 and haven’t received either, as a data point.

Slowe also noted that the company has alerted the appropriate authorities as required and has improved security since the event.