Reddit said that a digital attacker infiltrated some of its systems and accessed user data during a recent security incident.
On 1 August, the social news aggregation website revealed that an attacker had compromised a few of its employees’ accounts with its cloud
and source code hosting providers sometime between 14 June and 18 June. Reddit believes those responsible obtained access to those accounts, which were protected with SMS-based two-factor authentication (2FA), via a SMS intercept attack. This technique allows SMS messages containing 2FA codes to be redirected to devices under an attacker’s control.
Those who infiltrated Reddit didn’t obtain write access to the website’s systems. But they did gain read access to some user data. Those pieces of information included login credentials, email addresses, private messages and all user data for the site between 2005 and May 2007. The security incident also exposed email digests sent between 3 June and 17 June, items which connected usernames to email addresses.
Responding to the incident, Reddit notified law enforcement about the data access and said it’s in the process of informing users’ whose information might have been compromised. It also disclosed that it’s implemented additional security measures including more thorough logging, encryption and token-based 2FA.
Craig Young , a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), said it’s a good idea that Reddit is moving away from SMS-based login verification:
Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS-based verification tokens can be stolen with a variety of well-known techniques including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers. The most common technique is most likely use of smartphone malware which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity (Read more...)