Hackers break into Reddit's systems

SMS-based authentication not nearly as secure as it thought

Global online forum Reddit has revealed a hacker broke into a few of its systems accessing user data between 14-18 June.

According to an announcement issued on 2 August, current email addresses and a 2007 database back-up containing old salted and hashed passwords have been accessed.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” according to Reddit.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.

"We point this out to encourage everyone here to move to token-based 2FA."

According to Webroot senior threat research analyst Tyler Moffitt, the phone number is the weakest link in this type of attack.

"Cyber criminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication," Moffitt said.

"For example, a cybercriminal would simply need to give a wireless provider an address, last four digits of a social security number, and perhaps a credit card to transfer a phone number.

"This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax."

Reddit said that the hacker did not gain write access to its systems only read-only access to some systems that contained back-up data, source code and other logs.

A complete copy of an old database backup containing early Reddit user data -- from the site’s launch in 2005 through May 2007 was accessed.

According to Reddit the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

Also accessed were logs containing the email digests Reddit sent between 3-17 June 2018. 

Read more: Hacked: it could happen you

Reddit logs (source: Reddit)
Reddit logs (source: Reddit)

The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work sub-reddit's users subscribe to. 

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data,” it said.

Reddit has reported the issue to law enforcement, it is letting users know and is taking measures to guarantee that additional points of privileged access to Reddit’s systems are more secure.

Read more: The Social Networking Compendium – Part 6 (Social Bookmarking)

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags reddithacked

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Samira Sarraf
Show Comments

Essentials

Cygnett 2500 ChargeUp Pocket Lightning Portable Power Bank

Learn more >

Mobile

Exec

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?