Reddit's Hack & The Risks of Phone-Based 2-Factor Authentication
In a statement released on August 2nd 2018, popular social media sharing website Reddit announced that they had been victims of a cyber attack leading to a breach of user data and source code. In this briefing we will take a look at what happened, what was accessed and why the attack was possible.
Between June 14th and 18th 2018 an unknown attacker gained access to some of Reddits source code repositories and cloud hosting services. Apparently this access was gained through a combination of weak passwords and the inherent vulnerability of phone base authentication services.
The attack was discovered on June 19th whereupon access was revoked and law enforcement was notified. Reddit began notifying its users roughly 6 weeks after the breach. This is a relatively long time, but not unheard of. Depending on how incident response and investigations advance, the period before breaches are publicly disclosed can differ in length.
What information was accessed?
According to Reddit’s statement, two distinct sets of userdata were accessed by the attackers:
A full snapshot of Reddit data from 2007. This information includes posts, private messages, email addresses and user credentials. Luckily it appears that the passwords were individually salted and hashed, which should make recovery of strong passwords virtually impossible. Since the platform had significantly fewer users in 2007 than it does now, this critical breach is likely to affect a fraction of the current userbase.
Email digests sent in June 2018. Reddit offers a feature to periodically send users emails highlighting posts they may enjoy. These emails link account names to email addresses and content preferences and are thus considered personal information. Some or all of such emails sent in June 2018 before the attack was discovered appear to have been accessed by the attackers. Since the digest feature is not enabled by default, it is unclear how many users were affected.
How could the hack happen?
Like a large share of real-world cyber attacks, this one was based on either weak or stolen passwords. Whether these passwords were guessed, brute forced, leaked or stolen is unclear and not relevant at this point in time.
Reddit uses 2-Factor Authentication (2FA) for its administrator and developer accounts as an added security measure. Unfortunately, it apparently relied on SMS based authentication tokens for at least some of its accounts.
SMS based 2FA is inherently insecure as mobile phone traffic is neither authenticated nor encrypted. The security model of mobile networks mostly relies on the technology required to attack being expensive. However recent developments in Software Defined Radio hardware and software have drastically reduced the price to perform and increased the prevalence of such hacks.
How can I protect myself and my organization?
While SMS based 2FA is sufficient for individuals not in the public eye and certainly better than no two-factor-authentication at all, we strongly urge organizations and people of interest to migrate to either hardware-based or TOTP (Time-based One-time Password) based methods. A multitude of solutions for both methods is available with options ranging from apps to dedicated devices. The technology is ready for large scale corporate deployments and already widely used by many large organizations. Individuals who wish to increase their personal cyber security are advised to take similar measures. The most common and widely accepted TOTP solution for private users is the Google Authenticator application provided by Google.