Reddit reported that a malicious hacker or group of hackers was recently able to steal some old user data, as well as some current email addresses. The hacker appears to have intercepted some of the employees’ SMS codes that were used for two-factor authentication (2FA).
What Information Was Stolen?
According to the Reddit announcement about the security incident, the attacker was able to gain access to a complete backup copy of a user database dating from 2005 to 2007. This database included usernames, salted and hashed passwords, email address, and all public posts, as well as private messages.
Reddit said that it will notify all users who are impacted by this particular data leak. Those who signed-up for the online service after 2007 should be in the clear.
Additionally, the attacker gained access to logs containing email digests sent by Reddit to users between June 3 and June 17, 2018. The digests also connected usernames to the email addresses to which the digests were sent, as well as suggested posts based on the subreddits to which the users subscribed.
Reddit's post says that if you didn’t have an email associated with your Reddit account and you didn’t have the email digests feature checked in your account’s settings, then this particular leak shouldn’t impact you.
What Do I Do if I'm Affected?
Reddit will reset the passwords of those whose accounts were exposed to the data breach. The company also enabled enhanced logging for its systems and switched from SMS 2FA to authentication based on hardware security keys.
If you believe you are in the group affected by the data breach, you should reset your password even if Reddit doesn’t do it automatically. If you used the same password on other sites, you should change it there, too.
If you were subscribed to the email digests and don’t want data related to that account to be traced back to your email address, Reddit recommended you check the help page for how to remove that information.
Lastly, Reddit recommends you use a strong unique password, as well as an app authenticator for 2FA. Reddit hasn’t yet enabled support for U2F security keys for user accounts.
How the Attacker Broke into Reddit’s Hosting Accounts
On June 19, Reddit learned that an attacker compromised the accounts of some of its employees for the company’s cloud hosting providers. Following an investigation, Reddit discovered that the attacker must have gained access to the SMS 2FA codes the employees would use to authenticate to those cloud hosting accounts.
The attackers would only be able to do this if they could intercept the SMS codes, either by hacking the Signaling System Seven (SS7) that wireless carriers refuse to fix, even when called out by members of Congress, or by social engineering the porting of the Reddit employees’ phone numbers to the hackers’ own phones.
The attackers would also need the cloud hosting account passwords, too, but this is usually the easy part if employees re-use their passwords instead of using a password manager. With so many data breaches happening lately, the chances that a re-used password was exposed is quite high.
Takeaway from Reddit’s Hack
SMS 2FA is no longer to be trusted, and it hasn’t been secure for many years. The National Institute for Standards and Technology, which typically sets standards for U.S.-based cryptography protocols, deprecated SMS 2FA more than two years ago.
However, too many companies today continue to encourage their users to use SMS 2FA, in part because it’s convenient (everyone has a phone with SMS support), but also because it’s a way to get you to give them your phone number. Although they haven’t been on the market for too many years, U2F security keys already have a strong track record of keeping accounts secure.
If more companies start supporting U2F keys, that should encourage users to buy them, too, which means future data breaches won’t have as large of an impact.