Hackers break into Reddit's systems

SMS-based authentication not nearly as secure as it thought

Global online forum Reddit has revealed a hacker broke into a few of its systems accessing user data between 14-18 June.

According to an announcement issued on 2 August, current email addresses and a 2007 database back-up containing old salted and hashed passwords have been accessed.

“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” according to Reddit.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.

"We point this out to encourage everyone here to move to token-based 2FA."

According to Webroot senior threat research analyst Tyler Moffitt, the phone number is the weakest link in this type of attack.

"Cyber criminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication," Moffitt said.

"For example, a cybercriminal would simply need to give a wireless provider an address, last four digits of a social security number, and perhaps a credit card to transfer a phone number.

"This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax."

Reddit said that the hacker did not gain write access to its systems only read-only access to some systems that contained back-up data, source code and other logs.

A complete copy of an old database backup containing early Reddit user data -- from the site’s launch in 2005 through May 2007 was accessed.

According to Reddit the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

Also accessed were logs containing the email digests Reddit sent between 3-17 June 2018. 

Read more: Hacked: it could happen you

Reddit logs (source: Reddit)
Reddit logs (source: Reddit)

The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work sub-reddit's users subscribe to. 

As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data,” it said.

Reddit has reported the issue to law enforcement, it is letting users know and is taking measures to guarantee that additional points of privileged access to Reddit’s systems are more secure.

Read more: The Social Networking Compendium – Part 6 (Social Bookmarking)

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags reddithacked

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Samira Sarraf
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?