Reddit Breached After SMS 2FA Fail

Reddit discloses ‘serious’ security breach it discovered on June 19th

Reddit says "the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages)".

Reddit encourages users to change their passwords if they are similar to those they had in 2007 and to enable token-based two-factor authentication as the hackers reached its systems through SMS intercept.

Reddit reported that a malicious hacker or group of hackers was recently able to steal some old user data, as well as some current email addresses.

Instead, Reddit suggested users concerned should search their own inboxes to see if they have received an "email digest" from the firm between 3 and 17 June this year - the period of time for which hackers were able to obtain detailed logs on user activity and identity.

And while unrelated to the data incident, Reddit is also hiring for a couple of security-related positions that should help continue to shore up its site against future threats.

If you don't have an email address associated with your account, you're not affected by this part of the breach.

"The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs", Reddit engineer "KeyserSosa" said in a post detailing the security incident. Since the company isn't clear about the breach's size, breaches are often worse than they first appear, and you've nothing to lose by doing it, you might as well change your password as a precaution though.

Reddit said it was contacting affected users and would be resetting their passwords.

The company says it learned of the attack on June 19 and that it took place between June 14 and June 18.

While Reddit uses two-factor authentication to protect staff logins, the challenge and response codes were transmitted out-of-band via SMS, which were intercepted by the hackers.

Robert Siciliano, security analyst at online security company Hotspot Shield, said the breach can have serious far-reaching consequences.

If you signed up for Reddit after 2007, this doesn't affect you.

Siciliano compared the 2015 breach of dating website Ashley Madison, which exposed the names and email addresses of more than 36 million account holders.

Logs containing the email digests we sent between June 3 and June 17, 2018.

Security and data breaches have pretty much become the norm for tech companies as of late.

"Cyber criminals can steal a victim's phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication", Moffitt said.

We will be updating this story as and when new information comes in regarding Reddit's recent data breach. What Reddit found was that a complete copy of an old database was made.

Related:

Comments

Other news