Organizations that don’t invest in robust internet security are going to face a data breach scandal. It’s just a matter of time.
Reddit became the latest company to reveal that hackers gained access to private information, including email addresses, user credentials and private messages. While much of the data was old archival information, some of the user data was currently active.
Reddit revealed the breach in a blog post:
On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
For users looking for a less-dense version, the company offered this summary:
TL;DR : A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.
[FREE GUIDE: 3 helpful tips for your crisis comms prep]
Noticeably missing from the announcement was any kind of apology. Instead, Reddit offered actions that it was taking to protect users in the future:
Some highlights. We:
- Reported the issue to law enforcement and are cooperating with their investigation.
- Are messaging user accounts if there’s a chance the credentials taken reflect the account’s current password.
- Took measures to guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.)
A key part of Reddit’s explanation hinges on the use of SMS-based two-factor authentication (2FA).
So how did this happen? It appears that SMS-based two-factor authentication played a key role.”Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” notes the statement. “We point this out to encourage everyone here to move to token-based 2FA.”
However, some in the tech industry can’t believe that Reddit wasn’t more careful.
Though the average consumer may not have heard about the dangers of using SMS in two-factor authentication, the tech community has known about the risk for a few years. Yet somehow Reddit missed the memo.
Others chimed in on Twitter that 2FA is a bad industry practice:
Reddit got hacked. They were using SMS 2FA. Never use SMS 2FA. Always use an external authenticator. pic.twitter.com/ELBOPwQn7v
— Emptybeerbottle (@Fullbeerbottle) August 1, 2018
For users who have been compromised, Reddit recommends these steps:
If your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit, we’ll make you reset your Reddit account password. Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.
And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users, and be alert for potential phishing or scams.
The breach follows a string of data loss events from major organizations, including Equifax.
What do you think of Reddit’s crisis response?