Popular website Reddit has come under fire for its approach to security and response to a data breach. A post from Chris Slowe, CTO, Reddit said hackers had broken into its systems between June 14 and June 18 and stolen user data. The attackers gained access by compromising an unknown number of Reddit employee accounts. This is despite Reddit having deployed two-factor authentication (2FA).
Reddit has said that a backup user database from 2007 was stolen. It contains all messages and user data from 2005-2007. In that data are usernames, salted hashed password, email addresses and both public and private content. The company is resetting the password and sending alerts to accounts where it believes the credentials are valid. It has said that users who signed up after 2007 are not affected.
The hackers also gained access to the email digests that Reddit sent between June 3 and June 17, 2018. The digests contain a list of suggested posts for users and not any personal data. However, it does link a username with an email address. Reddit is not going to email users it thinks is affected. Instead it is telling them to check if they have digests turned on.
Reddit source code, internal logs, configuration files and other employee workspace files were also stolen.
Why is Reddit coming under fire?
To many people, Reddit’s response might seem appropriate. When looked at in more detail there are some serious shortcomings.
- The use of SMS-based 2-factor authentication: Many organisations still use SMS as a 2FA including banks, credit cards and SaaS providers. However, back in 2016, the National Institute of Standards and Technology (NIST) said it was no longer a trusted method. It pointed to the ease with which the message could be intercepted. In its alert to users Reddit says: “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept”
- Not all pre 2007 users will be notified: For pre 2007 users Reddit said: “We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid.” It hasn’t specified what “valid” means. Is this users who still post using those credentials? What about those users who opened an account and forgot about it? We know people reuse credentials so there is a real likelihood that they have recycled usernames and passwords.
- Current users who get digests must DIY: Reddit has decided against sending emails out to those users who get Reddit digests. This drew the following comment on the BBC News website from security researcher Tory Hunt: “This is personally identifiable data that’s been exposed in what is unequivocally a data breach, why on earth wouldn’t you notify people? In the case where it’s mapped to a username, this is also exposing the identities behind what is very frequently a deliberately anonymous account. People should be made aware of this and contacted individually.”
- How many people are affected: Reddit is not saying. Users in the US automatically get enrolled in the email digest programme. Outside of the US it requires users to select a check box. Reddit claims to have 330 million users with 20 million using the site daily. This means a very large pool of potential targets.
An increased risk of phishing attacks
Reddit’s decision to be selective in who gets informed and what passwords get reset is lazy. Its first response should have been to reset all passwords not just those it deems important from before 2007.
By not taking this action it allows hackers to phish its user base. Emails telling people their account may have been compromised and asking them to reset through a fake page are easy to arrange. Those who fall for this will provide hackers with username, email address and password combinations. They may not work against Reddit but they will be tried against any other site where the email address and username are identified.
Security vendors focused on why Reddit used SMS
Unsurprisingly, inside hours of Reddit posting its note, journalists found their inboxes full of comment from security vendors. So far, the focus from the majority seems to be on the use of SMS and privileged accounts.
Joseph Carson, Chief Security Scientist, Thycotic commented: “The hack at Reddit is a reminder that when protecting sensitive data by choosing 2FA in addition to a password, it is important to know that not all 2FA offers the same security; for example, the difference between using SMS-based authentication and token based authentication.“
Tyler Moffit, Senior Threat Research Analyst at Webroot comments: “While Reddit’s use of SMS-based authentication is popular and much more secure than password alone, it’s widely known to be vulnerable to cybercriminals who have hacked many celebrities using this method.”
Keith Graham, CTO at SecureAuth + Core Security commented: “It’s clear that with identity and credentials accounting for the majority of data breaches, more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyberattacks in the future.
“Organisations need to go further than just two-factor authentication, utilising Identity platforms that join silos of data together to create comprehensive Identity controls. Part of those controls should be to implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation based threat services, and phone fraud prevention to address the threats at the identity level efficiently.“
What does this mean
Another high profile breach with large numbers of users affected. On the positive side, the data taken has no credit or debit card data. In addition, the passwords were salted and hashed as well as being from 2007. There is a good chance many are already changed or the accounts inactive.
The downside is larger. The use of SMS authentication more than two years after NIST said it was fatally flawed makes no sense. However, Reddit is far from alone in this approach. Many banks use SMS to send codes as do a lot of SaaS solutions. Sign into several online storage providers from a new machine and they send you a code via SMS. The same is true of credit card providers.
To its credit, after admitting the SMS authentication had failed Reddit said it wanted to: “encourage everyone here to move to token-based 2FA.” The horse may have bolted but at least the next one will have a lock on the stable door.
The biggest surprise is the decision not to notify users. This may be to help disguise the number of affected users or because Reddit didn’t want to panic its customers. However, in not doing so it has left itself open to criticism from security experts.
[Note: Enterprise Times emailed a number of questions to Reddit about the breach last night but has had no reply yet. We will update this piece if and when we get one]