Reddit hack reveals limitations of two-factor authentication security

Reddit hack reveals limitations of two-factor authentication security

By Duncan Riley for SiliconANGLE

A hacker has managed to steal historical account data from Reddit Inc. by intercepting SMS text messages, used by employees for two-factor authentication, to gain access to some backend systems.

The hack, revealed today, took place between June 14 and 18. It saw the hacker obtain a 2007 database backup and email digests sent by Reddit in June.

The former consists of “very early Reddit user data” from Reddit’s launch in 2005 through May 2007 and included usernames, email addresses, posts, private messages and salted hashed passwords, while the latter consisted of account names and email addresses.

What Reddit didn’t detail is what method was used to encrypt the passwords. Some methods are easier to decrypt than others, but the company is taking no chances, writing in an email to affected users that “we’re messaging you because your Reddit account credentials were among the data that was accessed” and that “if there’s a chance the credentials relate to your current password, we’ll prompt you to reset the password on your Reddit account.”

The email added that users should think about whether they “still use the password you used on Reddit 11 years ago on any other sites today.”

Sam Small, chief security officer at ZeroFOX Inc., told SiliconANGLE that the problem with the data being stolen is that many Reddit users are drawn to the website for its anonymity.

“With this recent incident… much of the data breached may ultimately reveal people’s personal opinions, comments, subscriptions to specific sub-Reddits, messages between users and even which posts users upvote,” Small explained. “The risk involved is proportional to the impact of the potential scandal. The more important the person and the more unsavory the content, the bigger the resulting scandal.”

For those thinking that deleting their Reddit account may assist them, Small said the cat is out of the bag. “Many online services mirror and cache old Reddit data, so there may be no way to take back past comments shared online,” he said. “This incident is yet another important reminder to be mindful of what you share online, especially if you wouldn’t say it in public.”

Many security experts are focused on the methodology used by the hackers in intercepting two-factor authentication messages to gain access given that many companies use SMS-based 2FA as a security measure to begin with.

“The Reddit hack is a reminder that … not all two-factor authentication offers the same security,” said Joseph Carson, chief security scientist at Thycotic Software Ltd. “Reddit needs to raise the priority on implementing the model of least privilege and privileged access security controls as this breach demonstrates that the accounts compromised had read access to storage systems including source code, logs, and configurations.”

Joseph Kucic, chief security officer at Cavirin Systems Inc., added that the SMS vulnerabilities have been known since at least June 2017.

“There has been a large increase in mobile device malware to capture/intercept SMS messages, a major benefit for usage with mobile banking apps,” he said. SMS messages have had other risks as well, he said, including SIM swap and unauthorized access from core telecommunications signaling environments.

“When Reddit started using SMS for two-factor authentication in 2005 it was a best practice, but over the past 15 years, smartphones have become the primary user device and hackers have migrated their focus and efforts to taking advantages of weaknesses in areas that were once very limited in their nature,” he said.

Keith Graham, chief technology officer at SecureAuth + Core Security, said the news demonstrates that “organizations need to go further than just two-factor authentication, utilizing identity platforms that join silos of data together to create comprehensive identity controls.”

Read the original piece at SiliconANGLE.