A hacker who compromised the accounts of a few Reddit employees who are with the company's cloud and source code hosting providers penetrated some of its systems and accessed user data, including email addresses and a 2007 backup of a database that contained old salted and hashed passwords.
"Already having our primary access points for code and infrastructure behind strong authentication requiring two- factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company said in a post.
Industry insiders agreed with Reddit's analysis of its use of 2FA.
"Reddit learned the hard way that SMS-based authentication is not nearly as secure as they hoped," said Ambuj Kumar, CEO, Fortanix. "Even though the accounts were secured using two-factor authentication, they were using SMS-based authentication. Security researchers have long argued that SMS are not simply secure enough."
Attackers "can intercept text messages using fake base stations or subscriber hijacking attacks," he explained. "This is exactly what happened in the case of Reddit – ‘an SMS interception technique was used to circumvent the two-factor authentication.'"
Tyler Moffitt, Webroot's senior threat research analyst, said SMS-based authentication is more secure than a password, but vulnerable to attack, pointing to multiple celebrity hacks.
He called the phone number the weakest link. "Cyber-criminals can steal a victim's phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication," said Moffitt. "For example, a cyber-criminal would simply need to give a wireless provider an address, last 4 digits of a Social Security number, and perhaps a credit card to transfer a phone number."
That type of data, he noted, "is widely available on the dark web thanks to large database breaches like Equifax."
Kumar noted that many banks and service providers still use SMS-based authentication. "In the Digital Identity Guidelines published by NIST last year, SMS-based authentication is considered risky and its use is restricted," he said. "While two-factor authentication can help a lot, it has to be the right kind of two-factor!"
Reddit, which learned on 19 June that a hack had occurred between 14-18 June, said a "painstaking investigation" revealed that "the attacker did not gain write access to the company's systems; they gained read-only access to some systems that contained backup data, source code and other logs" but weren't able to modify Reddit data.
The attacker was able to access all data from 2007 and prior, including credentials and email addresses, and accessed the database backup, which contained user data from 2005, when the site launched, through May 2007.
"The most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then," the company wrote.
The hacker also accessed email digests that Reddit sent in June 2018, including logs between 3-17 June, which links usernames to email addresses and "contain suggested posts from select popular and safe-for-work subreddits you subscribe to."
The company said it has reported the hack to law enforcement, is notifying users and has taken steps, such as additional encryption and requiring token-based 2FA, to better secure additional points of privilege to Reddit systems.
Dan Hubbard, chief security architect at Lacework, praised Reddit for "being remarkably transparent about the source and damage from the attack."
"While it seems that the cyber-criminals only have read-access to this data, I'm glad that Reddit is now moving to a token-based two-factor authentication model, which provides a greater layer of security," said Moffitt.
But Joseph Carson, chief security scientist at Thycotic is "concerned that Reddit seems to be playing down the data breach as it was only read access to sensitive data and not write." While that is a positive, "it does not reduce the severity of the data breach when it relates to sensitive data."