Sophos Cloud Optix
Reddit has suffered a “serious” data breach but seems unwilling or unable to put a figure on its size.
There are two parts to this story – who is affected and the weakness the company says led to the breach itself.
Dealing with users first, there are two groups in the firing line, arguably the most important being the unknown number of Reddit users who received an email digest between 3 and 17 June this year. If you’re one of those, the attackers know your email address and username but not your password, which has potentially troubling implications discussed below.
The second group at risk is anyone who registered with the site between 2005 (when it launched) and May 2007.
In this case, data accessed includes account username and password, the email address used at that time, and any content posted including private as well as public messages.
Passwords were salted and hashed, which sounds vaguely reassuring until you realise it covers a continuum of possibilities from very safe to not very safe at all.
If the salting and hashing was done in thousands of iterations by an algorithm like bcrypt then you can feel reassured. If it simply means the site used a hashing algorithm like SHA-1, the kind of password security that was already out of date but not uncommon at that time, then you can’t.
Sadly, we don’t know which it is.
If it’s the latter then the risk here would be for the probably small group of users who haven’t changed their password since then or did change it but used it on other sites without updating it there too.
What went wrong?
According to Reddit, it learned on 19 June that between 14 and 18 June attackers compromised a small number of employee accounts used to access “cloud and source code hosting providers.”
These accounts were using SMS-based two-factor authentication (2FA), which the attackers managed to defeat:
We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.
Reddit’s announcement is a great example of why it’s important to read breach notifications carefully.
First, we learn that the company has known about this breach for more than a month, during which time it said nothing – even now it hasn’t put a figure on the number of Reddit users that are at risk.
This matters because the June 2018 cache of email addresses and usernames could reveal a lot about users who rely on a degree of anonymity when using Reddit.
As Troy Hunt tweeted:
That match between usernames and email addresses may be the real story here, especially in cases where people were posting under pseudonyms with an expectation of privacy. Think about some of the systemic and anonymous trolling we’ve seen there.
Next, the fact that the company seems disappointed by the ease with which the attackers bypassed the SMS 2FA it was using on its cloud accounts even though this older form of authentication has well-publicised weaknesses, including SIM swap fraud.
The fact the attackers also gained access to some Reddit source code almost feels like a small loss even though that is anything but the case.
What to do?
Reddit says the site will prompt affected users to change their password (and has sent emails to that end). Since the company isn’t clear about the breach’s size, breaches are often worse than they first appear, and you’ve nothing to lose by doing it, you might as well change your password as a precaution though.
Then, ideally, turn on the TOTP (Time-Based One-Time) 2FA that Reddit enabled for its user base in January this year.
Ironically, the company only implemented this after someone broke into moderator accounts in 2016 and defaced a load of subreddits. (Just a pity it didn’t take the time to upgrade the security on the vulnerable cloud accounts involved in the latest compromise while it was at it, but I digress.)
As already mentioned, there’s also a risk that should the compromised email addresses and usernames leak into the public domain – a likely event on past experience – the world will be able to associate comments with an email identity.
Anyone worried about this can remove some or all of that data by following these help instructions.
I think this story could really balloon as the data contained within the leak is analyzed and sorted. Could probably even be weaponized against certain individuals or groups. To me this is a national news story, not just an IT story.
If you’re depending on sms/phone call based SMS as your second factor in a MFA environment, STOP and do the following: switch to something better such, in the following order, hardware security keys, application based second factor (authentication app), and if you have no choice, sms/phone. Personally I think if you’re going to do SMS, put it on a cloud phone number where that accounts authentication is behind MFA, such as Google Voice. And then on that account, use MFA in the order listed above.