Reddit said that a digital attacker infiltrated some of its systems and accessed user data during a recent security incident.
On 1 August, the social news aggregation website revealed that an attacker had compromised a few of its employees’ accounts with its cloud and source code hosting providers sometime between 14 June and 18 June. Reddit believes those responsible obtained access to those accounts, which were protected with SMS-based two-factor authentication (2FA), via a SMS intercept attack. This technique allows SMS messages containing 2FA codes to be redirected to devices under an attacker’s control.
Those who infiltrated Reddit didn’t obtain write access to the website’s systems. But they did gain read access to some user data. Those pieces of information included login credentials, email addresses, private messages and all user data for the site between 2005 and May 2007. The security incident also exposed email digests sent between 3 June and 17 June, items which connected usernames to email addresses.
Responding to the incident, Reddit notified law enforcement about the data access and said it’s in the process of informing users’ whose information might have been compromised. It also disclosed that it’s implemented additional security measures including more thorough logging, encryption and token-based 2FA.
Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), said it’s a good idea that Reddit is moving away from SMS-based login verification:
Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers. The most common technique is most likely use of smartphone malware which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user but this seems less likely in such a targeted campaign. Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol, which is at the heart of modern telephony routing or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM. An attacker within the same cellular coverage area as the victim could even intercept and decrypt SMS out of the air with just a couple hundred dollars of equipment. The moral of this story is that SMS based 2-factor authentication should not be considered “strong” in the face of a determined attacker.
For information on how to set up 2FA on your Reddit account, click here. You can also read this article on how to enable 2FA on a number of other web accounts.