Reddit suffers data breach after hackers intercept SMS-based 2FA

Reddit discloses ‘serious’ security breach it discovered on June 19th

He said that the attacker compromised a few of their employees' accounts with their cloud and source code hosting providers, despite them having two factor authentication (2FA) set up for additional protection.

For its part, Reddit has assured users it will inform those affected by the loss of data, but has drawn the line at contacting those affected by the broader breach.

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data. "We point this out to encourage everyone here to move to token-based 2FA".

SMS hijacking is an increasingly common mode of attack, and critics of SMS 2FA will argue that it's actually a two-step verification process, which is considerably weaker than 2FA via a physical security key.

Reddit said that while the attack was "serious", attackers only managed to get read access, not the write access to Reddit systems.

What was accessed: A complete copy of an old database backup containing very early Reddit user data - from the site's launch in 2005 through May 2007.

Hackers were able to gather information including usernames, email addresses, private messages and encrypted passwords. If you're one of those, the attackers know your email address and username but not your password, which has potentially troubling implications discussed below. Furthermore, any accounts that were active during this time are being forced to reset its password.

This data includes usernames and email addresses linked to those accounts.

Users who signed up to Reddit after May 2007, and messages and posts published, are not affected.

Also accessed were logs containing the email digests Reddit sent between 3-17 June 2018.

"Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim's cellular provider and convinced them to transfer the phone number to a new SIM". Reddit email digests sent in June of 2018, specifically, were also included in the incident.

Security and data breaches have pretty much become the norm for tech companies as of late.

The company goes on to recommend a strong, unique password and the enabling of two-factor authentication - not provided via SMS - for all users, and to keep a look out for potential phishing or scams. If you meet the criteria mentioned in the full breakdown, you should probably change your Reddit password - and you should probably look into two-factor authentication, either way. The company said that since the intrusion it has bolstered its monitoring systems and has reported the breach to law enforcement, which is investigating.

Related news: