Some security researchers are concerned about how Reddit is handling a recent data theft incident.
Internet stalwart Reddit yesterday (1 August) disclosed details of a data breach, which occurred between 14 and 18 June of this year. The company said that a hacker infiltrated a few of its systems and successfully accessed some user data.
According to the company, it has been conducting an intensive investigation since the incident came to light. The hacker accessed user data including some current email addresses from Reddit digests sent to users, as well as usernames and a database backup from 2007, which contained old salted and hashed passwords.
How did the breach happen?
Three words: employee account compromise. Although the employee accounts accessed were protected by two-factor authentication (2FA), the type of 2FA used by staff relied on one-time passwords (OTPs) sent to or generated by a mobile phone. These OTPs can be easily intercepted or phished.
Token-based protection such as physical security keys are regarded by the security industry as the safest form of 2FA, which is based on Universal Second Factor (U2F). Google was recently in the spotlight for its adoption of physical security keys.
Reddit said: “We learned that SMS-based authentication is not nearly as secure as we would hope and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
The company stressed that the attacker did not gain write access to Reddit systems and was unable to alter Reddit information. It added that it has further locked down and rotated all API keys and production secrets. Monitoring and logging systems are also being upgraded.
What is Reddit doing about it?
Reddit is cooperating with law enforcement and is messaging user accounts if there is a chance that the credentials stolen reflect the account’s current password (changing your password is a good idea). Security measures are also being beefed up.
Some criticism is being levelled at the platform for putting the onus on users affected by the email digest theft to consider if they have any data they wouldn’t want to be associated with their email addresses.
These addresses, which may have been accessed through the theft of the emails, could identify individuals. The users affected here were told to search through their own inboxes to see if they received a digest via email from Reddit between 3 and 17 June of this year.
The firm only hired its first ever head of security two months ago, said chief technology officer Christopher Slowe. He added: “I’m not going to out him in this thread for obvious reasons, and he has been put through his paces in his first few months. So far, he hasn’t quit.”
Reddit has declined to disclose the volume of affected users.
Not all 2FA methods are created equal
Joseph Carson, chief security scientist at Thycotic, told Siliconrepublic.com: “The hack at Reddit is a reminder that when protecting sensitive data by choosing 2FA in addition to a password, it is important to know that not all 2FA offers the same security; for example, the difference between using SMS-based authentication and token-based authentication.
“I am concerned that Reddit seems to be playing down the data breach as it was ‘only read access to sensitive data and not write’. This is positive news; however, it does not reduce the severity of the breach when it relates to sensitive data.”