Reddit Says Attackers Bypassed SMS-Based AuthenticationYes, Reddit Was Breached; No, Don't Dump Multifactor Authentication
Reddit, a social news aggregation site, on Wednesday announced that it suffered a data breach after attackers managed to bypass its SMS-based two-factor authentication system. The compromised data included "a complete copy of an old database backup containing very early Reddit user data - from the site's launch in 2005 through May 2007" including email addresses and access credentials, it says.
The quick takeaway: "If you signed up for Reddit after 2007, you're clear."
Everyone else: Watch Reddit private messages and emails for a notification, and expect to change Reddit passwords at the next log-in attempt.
San Francisco-based Reddit has been a subsidiary of publishing giant Condé Nast's parent company, Advance Publications, since September 2011.
The attack against Reddit is notable in part because attacker bypassed the company's SMS-based TFA - aka 2FA - system.
"We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," says Christopher Slowe, aka "KeyserSosa," who's Reddit's founding engineer, in a post to Reddit.
"We point this out to encourage everyone here to move to token-based 2FA," he says, referring to a piece of software or hardware - respectively a virtual or physical token - that generates a one-time code that can be used to authenticate a user.
Reddit says it first learned it was breached on June 19, when it found that between June 14 and June 18, "an attacker compromised a few of our employees' accounts with our cloud and source code hosting providers." Ultimately, the attacker was able to gain "read-only access to some systems that contained backup data, source code and other logs," Slowe says.
Compromised user data included "account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then," he says.
"They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems," he said.
Anyone who sent private messages via Reddit from 2007 or before could have had their messages exposed and some current members' Reddit email digest subscriptions were also exposed. "Private messages sent before 2008 through the site may have been leaked, which could cause concern to some users," the U.K.'s National Cyber Security Center says in its post-breach advice for Reddit users, released Thursday. "For modern data, the breach of privacy was minimal (you might be able to infer that someone is a member of a 'niche' reddit group from the email digest they are sent)."
Reddit says it's reported the intrusion to law enforcement and is participating in an ongoing investigation. It's also added a slew of security improvements "to guarantee that additional points of privileged access to Reddit's systems are more secure," Slowe says, naming in particular "enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident."
How to Intercept SMS Messages
Information security consultant Ryan McGeehan, a former security director at Facebook and Coinbase, says it's relatively easy for an attacker to socially engineer access to a target's mobile phone number for SMS-interception purposes.
Here's how "SMS Intercept" works in practice. *Anyone* walks into *any* retail cellular store in the world, tells an employee to move *your* number to a new SIM.— Ryan McGeehan (@Magoo) August 1, 2018
The employee *verifies* that person. Your SMSs now go to a new phone.
That's just one way.
"Someone calls a phone company and says 'I want to move my (read: *your*) number to this other carrier.' Your SMSes now go to a new phone," McGeehan says via Twitter. And that's just one of a number of ways that social engineers can potentially intercept SMS messages, he says.
Any TFA: Better Than None
Reddit's breach report has led to a slew of security experts reminding users that multifactor authentication is no silver bullet (see Nation-State Spear Phishing Attacks Remain Alive and Well).
One bigger point, says information assurance trainer William H. Murray, is that organizations would ideally be using strong authentication. "Not just two-factor, not just multifactor, but 'strong,' i.e., resistant to replay," Murray says. "'Phishing,' 'spear' or otherwise, works because the credentials obtained can be fraudulently reused, often for weeks or months. By definition, all strong authentication is multifactor but not all multifactor is strong."
But any type of MFA or TFA is much better than none, says the system administrator who goes by "SwiftOnSecurity."
I evangelize SMS 2FA because it prevents large-scale commodity attackers and because token management is the hardest part (and SMS makes someone else do it for you) but it's not the end of the path and not solely appropriate for people with privileged access.— SwiftOnSecurity (@SwiftOnSecurity) August 1, 2018
"The infosec industry will do a whole thing about SMS 2FA not being secure. Reality check: most [organizations] haven't even made it that far," says U.K. security expert Kevin Beaumont, aka @GossiTheDog, via Twitter. "SMS 2FA is a way of raising the bar."
"Not only that, but you have to look at probability, not just possibility," says Wendy Nather, director of advisory CISOs at Duo Security, via Twitter. "Will my house withstand a tank attack? Of course not, but what are the chances of someone targeting me? We need to be realistic about attack scenarios for different organizations."
Reddit Adopts Stronger Two-Factor Authentication
It's notable that Reddit is dumping two-factor authentication, moving to using a more secure version. It's also recommending that users always use TFA, as well as unique passwords that they never reuse anywhere else (see Why Are We So Stupid About Allowing Overused Passwords?).
"As in all things, a strong unique password and enabling 2FA - which we only provide via an authenticator app, not SMS - is recommended for all users, and be alert for potential phishing or scams," Slowe says.
NCSC's advice to Reddit users is to change their passwords if they haven't done so since 2008, enable two-factor authentication, use a password manager, report any suspicious emails they receive to relevant authorities as well as to use the free Have I Been Pwned breach alert service to see if their credentials may have appeared in any other breaches (see Credential Stuffing Attacks: How to Combat Reused Passwords).
Reddit: 'We're Hiring'
Reddit's Slowe also used the breach notification to highlight that Reddit has job openings for a cloud security engineer and a threat detection automation engineer.
"In other news, we hired our very first head of security, and he started 2.5 months ago," Slowe added. "I'm not going to out him in this thread for obvious reason, and he has been put through his paces in his first few months. So far he hasn't quit."