Today Reddit revealed that they had experienced a cyberattack, which was thought to have happened between June 14th and 18th this year.
Hackers allegedly bypassed some of the company’s SMS authentication systems to access and steal user data. The attackers bypassed weak two factor authentication measures by SMS intercept, where mobile phone numbers were spoofed to log into employee accounts.
The hack meant that users’s email addresses and passwords could be exposed on the internet or the dark web. The data was thought to be from 2007 and further back in time. Reddit Digest emails were also thought to have been accessed.
"A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.
Reddit said that the attack was serious, but the attacker did not gain access to any systems, only read-only access to backup data, source code and some logs.
They’ve taken precautions to avoid any further issues by rotating API keys etc and enhancing logging and monitoring of their systems.
Reddit have now announced steps to take to ensure that user data is safe:
- Most Reddit users will have been contacted by private messages or email
- Change password immediately
- Check if user received Reddit Digest from firstname.lastname@example.org between June 3rd and 17th – and if so, the user’s email was probably accessed by the hackers.
- Remove anything on your account that you don’t want associated with your email address
This hack is yet another reminder that security is paramount. Here, SMS-based multi-factor authentication wasn’t sufficient enough for this kind of attack, so proactive monitoring and a multifaceted security infrastructure needs to be put in place. Many companies are now using hardware security keys such as YubiKey, for physical two-factor authentication.
Reddit recently hired their first Head of Security, who they stated “hasn’t quit yet”. They even said that they had a couple of security roles going , if anyone felt that they could help out. Whether some irony was implied here or not, Reddit definitely need to step up their security game.