Reddit knew of ‘security incident’ since 19 June but only alerted users more than a month later
More than a month since it happened, Reddit has this week confirmed that it has suffered what it is calling a ‘security incident’.
It said that a “hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.”
But the social news site has not disclosed the scale of the compromise and how many people have been affected.
And to make matters worse, it seems that Reddit has taken more than a month to publicly acknowledge that it has been hacked.
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” it said. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
“Although this was a serious attack, the attacker did not gain write access to Reddit systems,” the news site said. “They gained read-only access to some systems that contained backup data, source code and other logs.
“They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” Reddit added.
Reddit said it has notified law enforcement, but is only messaging user accounts if there’s a chance the credentials taken reflect the account’s current password.
It should be noted that this is not the first time that the social news site has suffered a cyber attack. In 2013 for example it was hit by a distributed denial of service (DDoS) attack, which prevented users from accessing the site.
Cyber security expertswere quick to offer their thoughts on the latest hack of Reddit.
One expert explained that cyber-attacks are always going to happen and that token-based authentication should always be used.
“Network intrusions like this are inevitable,” explained Jason Hart, CTO of data protection at Gemalto. “The Reddit issue reinforces again that being breached is not a question of ‘if’ but ‘when’ and a multi-layered approach to security is needed.”
“Even with multi-factor authentication deployed, the Reddit breach still occurred,” said Hart. “Two years ago NIST made recommendations for companies to consider stronger forms of MFA like token-based authentication. Given today’s security climate, all online companies should use the forms of multi-factor authentication that are appropriate for the data assets being accessed as well as using encryption and key management to secure sensitive data.”
Another expert warned that companies have to take their data protection responsibilities seriously.
“It is unsurprising that the 2018 Digital Trust Index found consumer trust in the ability or desire of organisations to fully protect user data flagging when companies, like Reddit, do not seek to address all those users whose personally identifiable information is exposed in a data breach,” said Stephen Walsh, director of security at CA Technologies.
“But not only is poor data stewardship rife – the threat to consumer data is compounded by a staggering perception gap in how business executives perceive their ability,” said Walsh. “In fact, 90 percent of organisations claim that they are very good at protecting consumer data, despite the fact that nearly half of business executives admitted that their company has been involved in a publicly disclosed consumer data breach in the last year.”
“Companies must meet their responsibilities on data stewardship or risk serious ramifications – not just in losing trust of customers, but in facing potential regulatory penalties, such as under the GDPR,” said Walsh. “Organisations can mitigate these risks by taking a proactive stance on security, such as narrowing their policies for sharing user data, reducing privileged user access, implementing continuous user authentication technologies, and adopting better cybersecurity and privacy controls to stop hackers.”
Meanwhile another expert said that whilst the stolen information does not include financial data, it is still very valuable to the criminal underworld.
“Fortunately, this Reddit breach doesn’t include credit card information,” said Robert Capps, VP at NuData Security (a Mastercard company). “However, we all know bad actors are very talented at preparing fraud schemes with the kind of user information that was leaked. From phishing scams and dictionary attacks – where fraudsters try certain common passwords based on the user’s information – to synthetic identities; as little as an email address can go a long way in the hands of a bad actor.”
Another expert warned that organisations have to regularly reassess their defensive strategies to make sure they are fit for purpose, and that even salted and hashed passwords are not safe from a determined foe.
“The Reddit breach underscores how the application of best practices, like use of MFA, also need to be revisited over time as new attack techniques come to light,” said Travis Biehn, technical strategist at Synopsys.
“You can look at the timeline for SMS hijacking techniques – the first practical attacks were presented a few years ago – and now these are being increasingly commoditised for a wide array of attackers,” said Biehn.
“Right now, the best users can do is rely on two factor authentication, which raises the cost for attackers, and use a password manager to reduce the risk of password re-use,” he said. “Attackers use this information in a few ways. First up, they’ll try account name and password pairs on other websites, exchanges, banks, and so on. Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90 percent of original password values. In fact, around 60 percent of a corpus can be recovered in as little as 3 hours on less than $10,000 worth of hardware.”
And it seems that SMS-based authentication has been used to compromise celebrities over the last few years.
“While Reddit’s use of SMS-based authentication is popular and much more secure than password alone, it’s widely known to be vulnerable to cybercriminals who have hacked many celebrities using this method,” said Tyler Moffit, senior threat research analyst at Webroot.
“In this type of attack, the phone number is the weakest link,” said Moffit. “Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication.”
This sentiment was backed by Keith Graham, CTO at SecureAuth + Core Security, who feels that more awareness and focus needs to be put on comprehensive authentication techniques to shore up organisations’ defences and prevent cyberattacks in the future.
“Organisations need to go further than just two-factor authentication, utilising Identity platforms that join silos of data together to create comprehensive Identity controls,” said Graham. “Part of those controls should be to Implement adaptive authentication that combine techniques such as geographic location analysis, device recognition, IP reputation based threat services, and phone fraud prevention to address the threats at the identity level efficiently.”
How much do you know about hackers? Take our quiz!