The company has recognized the security flaw
Enterprise network security specialists report that a hacker who compromised the accounts of some Reddit employees who work with the company’s source hosting and cloud providers penetrated some of their systems and accessed users’ data, including email addresses and a backup of a database containing old passwords.
“We are implementing two-factor authentication (2FA) for key code access points to strengthen user security. We have discovered that SMS-based authentication is not as secure as we expected, and the main attack was performed through SMS interception”, mentions a company statement.
Enterprise network security experts from the International Institute of Cyber Security support Reddit’s decision to implement two-factor authentication.
Reports of enterprise network security experts agree that Reddit learned the worst way about the weakness of its security measures, because even though the accounts were secure using two-factor authentication, Reddit used SMS-based authentication. Experts have argued for a long time that SMS is not safe enough to be used as an authentication factor.
Hackers can intercept SMS using fake base stations or subscriber spoofing attacks, which is what happened in Reddit’s case, an SMS interception technique was used to bypass two-factor authentication.
For enterprise network security investigators, SMS authentication is more secure than just a password, but it’s also vulnerable to slightly more complex attacks. Hackers can steal the victim’s phone number, sending it to a different SIM card with relative ease, thus obtaining access to text messages and, therefore, SMS-based authentication. The necessary data to do so are found relatively easily on dark web sites due to the growing number of data breaches that several organizations have suffered.
Reddit, which found out on June 19 about the attack, which was deployed between 14 and 18 of the same month, mentioning that a “thorough investigation” revealed that the attacker gained read-only access to some systems containing backup data, source code and other records, but that the hacker was unable to modify.
The attacker was able to access all of the 2007 and previous years data, including access credentials and e-mail addresses, and reached the database backup that contained data from users of 2005, when the site was launched, until May 2007.
The company said it has reported the hack to the authorities and is also notifying users and implementing measures, such as additional encryption and token-based authentication of two factors, to better ensure access points to their systems.
Although this does not seem to be enough for many enterprise network security specialists, some of them are concerned that Reddit seems to be minimizing data violation as it was read-only access to their databases. While the measures are positive, it does not reduce the severity of the data breach that the company suffered.