Story image

User passwords and email addresses compromised in Reddit breach

02 Aug 2018

Reddit has announced that a hacker broke into a few of its systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.

Reddit has since been conducting a painstaking investigation to figure out just what was accessed and to improve its systems and processes to prevent the incident from happening again.

Timeline

On June 19, Reddit learned that between June 14 and June 18, an attacker compromised a few employee accounts with its cloud and source code hosting providers.

Its primary access points for code and infrastructure had required two-factor authentication (2FA) via SMS-based authentication, and the main attack was via SMS intercept.

Reddit acknowledged that although it was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to systems that contained backup data, source code and other logs.

They were not able to alter Reddit information, and it has since taken steps to further lock down and rotate all production secrets and API keys, and to enhance logging and monitoring systems.

What was accessed

Two key areas of user data were accessed:

·       All Reddit data from 2007 and before including account credentials and email addresses

o   What was accessed: A complete copy of an old database backup containing very early Reddit user data from the site’s launch in 2005 through May 2007. In Reddit’s first years it had fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from the abovementioned timeframe.

o   How to tell if your information was included: Reddit has messaged affected users and is resetting passwords on accounts where the credentials might still be valid. Users that signed up for Reddit after 2007 are safe. Reddit is advising users to check their private messages and/or email inbox.

·       Email digests sent by Reddit in June 2018

o   What was accessed: Logs containing the email digests sent between June 3 and June 17, 2018. The logs contain the digest emails themselves. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits users subscribed to.

o   How to tell if your information was included: Users who don’t have an email address associated with their account or if their “email digests” user preference was unchecked during that period are not affected. Otherwise, users can search their email inbox for emails from noreply@redditmail.com between June 3-17, 2018.

As the attacker had read access to storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data.

What is Reddit doing about it?

Reddit has reported the issue to law enforcement and is cooperating with their investigation.

It is messaging user accounts if there’s a chance the credentials taken reflect the account’s current password, and it has taken measures to guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since it suspects weaknesses inherent to SMS-based 2FA to be the root cause of this incident.)

Webroot senior threat research analyst Tyler Moffitt says that SMS-based authentication has often been used by cybercriminals to hack celebrities.

“In this type of attack, the phone number is the weakest link.

“Cybercriminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication,” Moffit says.

“For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number.”

He adds, “This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax.”

Apple mania! A brief look at Apple TV+, Apple Arcade, and Apple News+
Whether you’re after news, TV, or gaming, it seems like Apple is pulling out all the stops to get your attention.
Giveaway: Win the Huawei Y6 2019 with FutureFive
We’re back with the first giveaway of 2019, and once again Huawei is dishing out the goodies with a Huawei Y6 2019 smartphone up for grabs!
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Vector penalised $3.5 million for excessive levels of power outages
''Given the impact electricity outages have on consumers and businesses it is crucial that lines companies have systems in place to identify and manage the risks present in their networks."
Game review: Tom Clancy’s The Division 2
Ubisoft has listened to all of the fan feedback and I can proudly say that Tom Clancy’s The Division 2 is a much better experience over the first game.
'Iwi Algorithm' can grow Aotearoa's mana
Ngāti Whātua Ōrākei innovation officer Te Aroha Grace says AI can help to combine the values from different cultures to help grow Aotearoa’s mana and brand – and AI is not just for commercial gain.
Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”
Hands-on review: Huawei Watch GT
I’ve thoroughly enjoyed my time with the Watch GT. It’s converted me from being anti-smartwatch to someone who’s genuinely considering buying one.