Reddit says the breach took place after hackers intercepted SMS that were supposed to be delivered to employees.
The social media giant Reddit has announced that it has suffered a data breach in which attackers hacked into its system and ended up stealing data of its registered users including emails and encrypted passwords.
Reddit discovered the breach on June 19th, 2018 after attackers hacked into the accounts of its employees with cloud and source code hosting providers between June 14 and June 18. This allowed attackers to access Reddit’s primary access points for code and steal a complete copy of database backup between 2005 and 2007.
The stolen databases contained usernames, emails, encrypted passwords, public posts and private messages. It is noteworthy that the targeted accounts were protected with two-factor authentication (2FA) yet attackers were able to breach their security by intercepting text messages that were supposed to be delivered to employees.
“Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code, and other logs,” wrote Reddit’s founding engineer Christopher Slowe.
Reddit has informed law enforcement authorities and affected users are also being contacted as well. Slowe is advising users not to depend on SMS-based 2FA and rather go for token-based 2FA. Slowe also revealed that Reddit hired its first-ever head of security 2.5 months ago. “So far he hasn’t quit.”
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept, said Slowe “We point this out to encourage everyone here to move to token-based 2FA.”
Massive Signalling System Number 7 (SS7) Flaw
There is nothing surprising about SMS intercepting since Signalling System Number 7 (SS7) is known to be highly vulnerable. The flaw allows attackers to infect any targeted smartphone user, intercepting their voice calls and text messages, and track their locations as well. Currently, there are billions of mobile phone users at risk of eavesdropping.
In 2015, hackers demonstrated how they could intercept and record the telephonic conversations as well as the locations of Nick Xenophon, an Australian senator, even when hackers were located thousands of miles away in Germany.
“Verification by SMS message is useless against a determined hacker with access to the SS7 portal because they can intercept and use the SMS code before it gets to the bank customer,” hackers noted back in 2015.
In 2016 and 2017, the same flaw was reportedly used to hack Facebook accounts, Gmail-based emails, and Bitcoin wallet. Most recently, Joel Ortiz, a California based hacker stole millions of dollars from his victims after hacking 40 SIM cards and reminded us that online security is a myth.
Not for the first time
In 2016, Reddit made headlines for resetting passwords of 100,000 user accounts after identifying account takeovers (ATOs) by malicious third parties. In another incident, a hacker defaced several highly popular Reddit‘s subreddits just because he felt bored and said that “Reddit’s security is shit.”