Reddit said in a blog post Wednesday that a hacker broke into the company’s systems in June and gained access to a variety of data, including user emails, source code and internal files, and “all Reddit data from 2007 and before.” And it likely could have been avoided if some Reddit employees were using two-factor authentication apps or physical keys instead of their phone numbers.
“On June 19, we learned that an attacker compromised a few of Reddit’s accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes,” a Reddit spokesperson said in a statement. (Advance Publications, which owns WIRED publisher Condé Nast, is Reddit’s majority shareholder.) “We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future. A small number of users were affected and have been notified.”
Among the compromised information was a 2007 Reddit database backup, which means if you were using the platform back then, your account information from that time—like your email address, username, and password—has been exposed. Reddit says the passwords were protected by cryptographic salting and hashing defenses, but if you still use that old password for your Reddit account, or any online account, you should change it to a strong, random password in case the Reddit trove can be cracked.
“Since the salting and hashing is going back to 2006 or 2007, it’s likely sub-optimal,” says Kenn White, director of the Open Crypto Audit Project. “Everyone should probably change their passwords.”
Reddit also noted that logs from June 3 to June 17, 2018 related to the platform’s “email digests” were exposed. This is a problem, because access to that information would allow attackers to see the usernames connected to each user email address—helpful information if you’re trying to compromise accounts. The digests also make suggestions about posts and subreddits a user might like, which potentially gives attackers additional information about individuals on Reddit.
Those are the main user impacts the company is highlighting, but chief technology officer Christopher Slowe mentions in the blog post that the breach also compromised “Reddit source code, internal logs, configuration files and other employee workspace files.” All those things combined could give hackers deep insight into Reddit’s fundamental structure and architecture, which creates a long-term risk the company will need to address.
“Once a criminal sneaks in through a window in your house in the middle of the night, yes, they can steal your china, snap a picture of your bank statements, and drink your beer,” White says.
Attackers got into Reddit’s systems by compromising some employee administrative accounts for company cloud storage and source code storage. Slowe notes in the blog post that the employees were using two-factor authentication to protect these crucial accounts, but some number of them had that layer of protection set up with SMS—meaning someone would need a code texted to their mobile number to complete an account login. The problem is that SMS-based two-factor is known to be insecure, because attackers can launch a “SIM swapping” attack to take control of a user’s SIM card and all the data coming to their phone number.
Though the average consumer may not have heard about the dangers of using SMS in two-factor authentication, the tech community has known about the risk for a few years. Yet somehow Reddit missed the memo. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Slowe wrote on Wednesday.
“What they are saying is that their cloud infrastructure had high-privilege accounts secured by crappy two factor protections and one of their admins was popped,” White says. “A high-value property like Reddit secured with some dude’s mobile number is no bueno.”
Reddit says that it will notify users whose current account password relates to credentials compromised in the breach, and will prompt those affected individuals to change their passwords. The company is encouraging everyone to “think about whether you still use the password you used on Reddit 11 years ago on any other sites today. If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”
The company also says users should do as it says, not as it (apparently) does, and only use authentication apps or physical authentication tokens for two-factor protection. As Slowe notes, SMS-based two-factor is not an option for Reddit accounts.