Reddit Suffers Data Breach: What You Need to Do Next

(Image credit: Mr.Whiskey / Shutterstock.com)

Reddit reported that a malicious hacker or group of hackers was recently able to steal some old user data, as well as some current email addresses. The hacker appears to have intercepted some of the employees’ SMS codes that were used for two-factor authentication (2FA).

What Information Was Stolen?

According to the Reddit announcement about the security incident, the attacker was able to gain access to a complete backup copy of a user database dating from 2005 to 2007. This database included usernames, salted and hashed passwords, email address, and all public posts, as well as private messages.

Reddit said that it will notify all users who are impacted by this particular data leak. Those who signed-up for the online service after 2007 should be in the clear.

Additionally, the attacker gained access to logs containing email digests sent by Reddit to users between June 3 and June 17, 2018. The digests also connected usernames to the email addresses to which the digests were sent, as well as suggested posts based on the subreddits to which the users subscribed.

Reddit's post says that if you didn’t have an email associated with your Reddit account and you didn’t have the email digests feature checked in your account’s settings, then this particular leak shouldn’t impact you.

What Do I Do if I'm Affected?

Reddit will reset the passwords of those whose accounts were exposed to the data breach. The company also enabled enhanced logging for its systems and switched from SMS 2FA to authentication based on hardware security keys.

If you believe you are in the group affected by the data breach, you should reset your password even if Reddit doesn’t do it automatically. If you used the same password on other sites, you should change it there, too.

If you were subscribed to the email digests and don’t want data related to that account to be traced back to your email address, Reddit recommended you check the help page for how to remove that information.

Lastly, Reddit recommends you use a strong unique password, as well as an app authenticator for 2FA. Reddit hasn’t yet enabled support for U2F security keys for user accounts.

How the Attacker Broke into Reddit’s Hosting Accounts

On June 19, Reddit learned that an attacker compromised the accounts of some of its employees for the company’s cloud hosting providers. Following an investigation, Reddit discovered that the attacker must have gained access to the SMS 2FA codes the employees would use to authenticate to those cloud hosting accounts.

The attackers would only be able to do this if they could intercept the SMS codes, either by hacking the Signaling System Seven (SS7) that wireless carriers refuse to fix, even when called out by members of Congress, or by social engineering the porting of the Reddit employees’ phone numbers to the hackers’ own phones.

The attackers would also need the cloud hosting account passwords, too, but this is usually the easy part if employees re-use their passwords instead of using a password manager. With so many data breaches happening lately, the chances that a re-used password was exposed is quite high.

Takeaway from Reddit’s Hack

SMS 2FA is no longer to be trusted, and it hasn’t been secure for many years. The National Institute for Standards and Technology, which typically sets standards for U.S.-based cryptography protocols, deprecated SMS 2FA more than two years ago.

However, too many companies today continue to encourage their users to use SMS 2FA, in part because it’s convenient (everyone has a phone with SMS support), but also because it’s a way to get you to give them your phone number. Although they haven’t been on the market for too many years, U2F security keys already have a strong track record of keeping accounts secure.

If more companies start supporting U2F keys, that should encourage users to buy them, too, which means future data breaches won’t have as large of an impact.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • therealduckofdeath
    That sounds like a fairly elaborate hack. I wonder if a certain grumpy American intelligence agency is out doing some counter zpying on the election trolls?
    Reply
  • Chaos2Theory
    21195592 said:
    That sounds like a fairly elaborate hack. I wonder if a certain grumpy American intelligence agency is out doing some counter zpying on the election trolls?
    Nothing quite beats election trolls like stealing account information from 2007....
    Reply
  • therealduckofdeath
    21196266 said:
    Nothing quite beats election trolls like stealing account information from 2007....
    Connecting the dots. Finding old patterns of people. Who's pushing whom's buttons. You know, forensics and all that they say agencies like that usually do.
    Reply
  • lxtbell2
    The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?
    Reply
  • merlinq
    21199292 said:
    The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?

    For one, and this is a BIG one:
    Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
    So if your "Second Factor Authentication" is also on your phone...
    Well, it's not really second factor at all in the first place, is it?

    Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

    Modern hardware keys are really the only way to handle 2FA anymore:
    They are easily carried;
    In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
    Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
    Can use standard USB protocol to communicate with just about any wired device known to man;
    Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm response.)
    Reply
  • lxtbell2
    21199524 said:
    21199292 said:
    The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?

    For one, and this is a BIG one:
    Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
    So if your "Second Factor Authentication" is also on your phone...
    Well, it's not really second factor at all in the first place, is it?

    Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

    Modern hardware keys are really the only way to handle 2FA anymore:
    They are easily carried;
    In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
    Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
    Can use standard USB protocol to communicate with just about any wired device known to man;
    Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm response.)

    1. It IS second factor authentication, and as secure. The first factor is password, not where the account is accessed. Also you need to plug the hardware key into the device "accessing the accounts" anyway. Don't see a problem with that.
    2. Google Authenticator IS cryptographically secure. Read the implementation. Namely, you can't guess the next pin even with all previous pins.
    3. Screen capture on phone requires extensive user permission, and invalidated upon end of capture session, due to #2 above.
    Reply
  • therealduckofdeath
    21199524 said:
    For one, and this is a BIG one:
    Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
    So if your "Second Factor Authentication" is also on your phone...
    Well, it's not really second factor at all in the first place, is it?

    Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

    Modern hardware keys are really the only way to handle 2FA anymore:
    They are easily carried;
    In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
    Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
    Can use standard USB protocol to communicate with just about any wired device known to man;
    Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm response.)

    By those standards, nothing is secure as anything can be stolen. It's a massive hurdle to get past to gain screen capture and key logging control over a smart phone. You'd basically have to steal the specific one and return it to the owner unnoticed. Sure, that's easy in Tom Cruise movies but not so much in real life. No security is perfect, but 2FA is infinitely safer than a plain password.
    Reply
  • Chaos2Theory
    21202914 said:
    21199524 said:
    For one, and this is a BIG one:
    Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
    So if your "Second Factor Authentication" is also on your phone...
    Well, it's not really second factor at all in the first place, is it?

    Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

    Modern hardware keys are really the only way to handle 2FA anymore:
    They are easily carried;
    In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
    Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
    Can use standard USB protocol to communicate with just about any wired device known to man;
    Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm response.)

    By those standards, nothing is secure as anything can be stolen. It's a massive hurdle to get past to gain screen capture and key logging control over a smart phone. You'd basically have to steal the specific one and return it to the owner unnoticed. Sure, that's easy in Tom Cruise movies but not so much in real life. No security is perfect, but 2FA is infinitely safer than a plain password.
    Dead wrong, nearly all compromised accounts these days come from Phishing attacks, and 2FA does nothing to prevent phishing. Its really not much more difficult than obtaining a username and password, full stop.

    Edit: 2FA using a code generated by any means, app on the phone, sms, or email. Physical 2FA keys on the other hand work really well.
    Reply
  • therealduckofdeath
    21203932 said:
    Dead wrong, nearly all compromised accounts these days come from Phishing attacks, and 2FA does nothing to prevent phishing. Its really not much more difficult than obtaining a username and password, full stop.

    Edit: 2FA using a code generated by any means, app on the phone, sms, or email. Physical 2FA keys on the other hand work really well.

    Your idea of all hackers homing in on each target with a vengeance is out of touch with reality. Almost all breaches use stolen password databases which are often obtained by exploiting either poor server security or lacking procedures. Trying to get onto one specific device and bypass all layers of security, undetected, to get to the 2FA is a lot of work for little return. Even agencies hacking countries use injected 0-day malware to randomly compromise computers on targeted networks and hope for the best return.
    https://www.calyptix.com/top-threats/top-causes-of-data-breaches-by-industry-2018-verizon-dbir/
    Reply
  • Karadjgne
    So somebody figured out how to get deep into reddit? Why? What did they expect to find other than the accounts of 15yr old kids whose major contributions consisted of maintaining Webster's Vulgarity Dictionary, Thesaurus, and Localized Slang.
    Reply