Earlier this year, the online company Reddit announced that they had suffered a security breach in June. In the announcement, they stated some of their internal systems had been compromised and the attackers had gained ‘read-only’ access to these systems.
The site announced this breach through a post on their platform. They stated that they discovered the attack on June 19th and concluded it had taken place between June 14th and June 18th. In the post they go on to explain that the breach was the result of a few of their employees’ accounts being compromised through their SMS two factor authentication (2FA).
Employees’ accounts were compromised mainly through an SMS intercept attack. This is where the authentication code would have been intercepted by the attacker using inherent security flaws in SMS, spoofing a phone or scamming the provider. The company said that they revealed this information to ‘encourage everyone here to move to token-based 2FA.’. Token based 2FA is a different type of authentication, where a software token is held by another computer, tablet, smart phone that could be used to authorise another device.
The post states that the data that was accessed, in a ‘read-only’ form, was ‘backup data, source code and other logs’. They say that all Reddit data between the sites first launch in 2005 until May 2007, was accessed. Included in this was account credentials (usernames + ‘salted hashed passwords’), email addresses and all other content from the sites early days. Most of the content was public, however, private messages from the said time frame were also compromised.
Unfortunately, it wasn’t just old backup information that was accessed by the attackers. ‘Email digests’ sent by Reddit between June 3rd and June 17th 2018 were also accessed. This means that anyone who received an ‘email digest’ between said dates, their email address could now be linked to a username.
To help keep your online accounts secure, be sure to use a strong unique password with a minimum of 8 characters (include lowercase and uppercase alphabetic characters, numbers and symbols if permitted) and enable a token based two factor authentication method for any account that supports it.