Reddit Breach Highlights Limits of SMS-Based Authentication

Gerald Bowen
August 3, 2018

"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication, we learned that SMS-based authentication is not almost as secure as we would hope", said Reddit. The logs connect usernames with associated email addresses and contain suggested posts from the safe for work subreddits users subscribe to. While Reddit calls the attack "serious", it hasn't disclosed the number of users affected and said no data was altered. The hacker was also able to see private and public messages posted from 2005 to 2007. The culprit also viewed logs from Reddit's "email digests", which can associate a username with an email address, if you provided it. Together, these details could.

Sometime in June a hacker got into a few Reddit servers and accessed, among other things, an old database.

Reddit said the hacker never got "write access" to its servers. The company has said that "if there's a chance the credentials taken reflect the account's current password", it will make you reset your Reddit account password.

According to Reddit, it learned on 19 June that between 14 and 18 June attackers compromised a small number of employee accounts used to access "cloud and source code hosting providers".

Reddit said it migrated employees from SMS-based 2FA to token-based 2FA and urged other companies and users to do the same.

Speaking to the BBC, prominent security researcher Troy Hunt, whose speciality lies in data breaches affecting consumers, revealed the extent of his incredulity: "This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?" Otherwise, the company recommends that users search their inboxes for emails sent by noreply@redditmail.com between June 3 and June 17 to learn if they were affected.

Google tailoring a search engine for China
Google programmers and engineers have reportedly made an Android app that's already been shown to the Chinese government. According to the whistleblower, the new search engine is being built as an Android mobile app.

Man Utd boss Mourinho pulls back from late transfer demands
Here are a selection of the best photos from the game at the Hard Rock stadium in Miami. "In relation to the match, the result doesn't change anything", Mourinho said.

Courtney Smith -- People near Urban Meyer knew of '15 case
In 2009, Zach Smith was a 25-year-old intern on Meyer's staff at Florida when police were called to his home early one morning. Shelley Meyer is a registered nurse and instructor of Clinical Practice at the Ohio State University College of Nursing.

Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder (s) managed to intercept that second factor.

If there is, they might want to remove that information (posts, drafts, comments, private messages, chat messages) from the account.

In terms of what exactly was accessed, Reddit said attackers obtained read-only access to systems, source code and other logs. If you're one of those, the attackers know your email address and username but not your password, which has potentially troubling implications discussed below.

It will also be communicated to the affected users that their data has been accessed and what access has been made.

Keith Graham, chief technology officer at SecureAuth + Core Security, said the news demonstrates that "organizations need to go further than just two-factor authentication, utilizing identity platforms that join silos of data together to create comprehensive identity controls".

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER