Reddit Suffers Server Breach Via Intercepted SMS Based 2FA

The social media platform has beefed up security following the incident and will be working with law enforcement.

On August 1, 2018 the popular internet forums and social media site Reddit.com reported a breach of its database due to an SMS intercept attack.

Data breaches have become so commonplace there is probably a better chance that your account has been exposed in some database leak than not. That being the case, if you own a server with sensitive information on perhaps the time has come to look at your internal security, change your passwords, and stop relying on your smartphone’s SMS as the basis for two-factor authentication (2FA).

Now, in the situation with Reddit, it remains unclear exactly how the attacker managed to intercept the 2FA SMS code that provided them server access. What Reddit did say is that between June 14 though June 18, 2018, a hacker accessed “some systems that contained backup data, source code and other logs” including a 2007 database backup of the site complete with hashed and salted passwords. The hacker was unable to make any edits and possessed read-only privileges during the breach.

Reddit is recommending those who take security to heart not to rely on SMS based 2FA and to make use of a token based form of 2FA as an alternative.

Reddit became aware of the breach on June 19, 2018, and subsequently performed an investigation to better understand the scope of the attack, and how it can be prevented in the future. A report was filed and Reddit is cooperating with authorities, and in addition, anyone on the platform who was affected by the hack will receive a message “if there’s a chance the credentials taken reflect the account’s current password.”

What The Hacker Accessed:

Reddit’s statement provided specifics on the exact information that was accessed during the security breach:

All Reddit data from 2007 and before including account credentials and email addresses

What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.

Email digests sent by Reddit in June 2018

What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.

How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3–17, 2018.

Reddit also divulged that the hacker accessed certain source code, internal logs, configuration files, and other employee records.

To avoid this type of breach in the future, Reddit said it will take measures to ensure to bolster security, such as requiring token-based 2FA, engaging in enhanced logging, and using more encryption.

If you believe your account was affected, meaning you signed dup with Reddit before 2007, and you want to remove information from your account which you don’t want associated with the exposed email address, Reddit has a resource for you. In addition Reddit has provided users instructions on how to set up their own 2FA, to pad your account’s security.

The MetaCert Protocol is a trust and reputation threat intelligence system for verifying web resources. It addresses a number of attack vectors, encompassing solutions for anti-phishing, child safety, brand protection, crypto-address verification, and news credibility. Find out more about the MetaCert Protocol, ask questions, and leave suggestions on both our White Paper and Technical Paper. You can also join our Telegram community to stay up to date on our blockchain project. Remember to install Cryptonite to protect yourself from phishing scams before it’s too late.