Debate Magazine

Reddit Hit by Security Breach, User Data Exposed

Posted on the 08 August 2018 by Darkwebnews @darkwebnews

Reddit has recently revealed that it suffered a security breach which subsequently exposed substantial user data.

Confirming the incident through an official statement, Reddit Chief Technology Officer Christopher Slowe claims that a hacker breached several internal systems and gained access to some personal user details.

This includes a database backup comprising user credentials, messages and email addresses.

Likewise, this breach was also compromised of the email addresses and usernames of users who received email notifications for a period in June.

Details of the Breach

The incident occurred between June 14 and June 18 with Reddit only learning about it on June 19.

Since the occurrence, Slowe outlined in the blog announcement that Reddit has been conducting thorough investigations to determine precisely what the hacker accessed while also working to enhance the company's processes and systems to prevent a repeat of such.

He also mentioned that the hack only compromised a few accounts belonging to their employees with their source code and cloud hosting providers.

The attacker circumvented the two-factor authentication (2FA) system which Reddit had installed through SMS interception.

Typically, Reddit offers the two-factor authentication through a token, but as it turns out, one of their providers failed to do so, which created the loophole for the attack.

Slowe was quick to point out that although there was an undeniable breach of the system, the attack only gained read-only access to several systems which contained source code, backup data and other logs.

What's more, he also points out that no phone was breached which suggests that the hacker intercepted the SMS authentication codes possibly through scamming the provider or individual phone.

What Data Was Compromised?

Despite not availing a complete inventory of everything the hacker was able to access, Slowe did outline two key concern areas where data breach may have occurred.

First, the compromised material contained a database backup comprising hashed password and cryptographically salted data dating all the way back to 2007 and before.

This is in addition to the email addresses, usernames and messages of users including private messages until May 2007.

Second, the attacker also breached email digests which Reddit sent out to its users between June 3 and June 17.

These digests link usernames to the equivalent email addresses, hence potentially exposing the anonymity of the users while also including suggested posts from particular subreddits to which users subscribe.

Reddit in response to the attack is resetting passwords on the distinct user accounts of those the company suspects may have been breached.

Individuals who still use a similar password elsewhere need to change their authorizations on other sites also.

SMS Two-Factor Authentication Concern

One factor mainly sticks out in this incident. The hacker broke into source code and cloud hosting repository accounts of some Reddit staff even though they utilize SMS-based two-factor authentication.

SMS has several significant integral security flaws. In fact, the U.S. National Institute of Standards and Technology even declared it unacceptable in 2016.

However, it continues to find use in various enterprises with numerous services continuing to make use of it as a backup or main 2FA method.

Slowe said that although Reddit already had their main access points for infrastructure and code behind strong 2FA, they later identified that SMS-based authentication was not as secure as they would have expected.

Actually, according to him, the primary attack occurred through SMS intercept, and they are highlighting this to encourage their users to adopt token-based 2FA.

Security experts have indeed advised users against using texts as the second factor because of their vulnerability to several threats. They recommend using safer alternatives such as authenticator apps and hardware tokens.

What Next?

Although the hacker had access to several Reddit systems which contained source code, backup data and other logs, they did not have write access to these systems and was therefore unable to alter any information.

Reddit has since taken huge steps after the breach to lock down all API keys and production details as well as to enhance their monitoring and logging systems.

What's more, the site has also already taken up the matter with the authorities and has started to notify its users while also taking appropriate steps like requiring token-based two-factor authentication and additional encryption.

This is to ensure that the extra privilege points to their systems are better secured.


You Might Also Like :

Back to Featured Articles on Logo Paperblog

These articles might interest you :

  • Big Food Giants Manipulate Public Health Policy in China

    Food Giants Manipulate Public Health Policy China

    Coca-Cola is at it again. As soda sales decline in the United States and Europe, beverage companies look to emerging economies like China for growth. And, it... Read more

    The 15 January 2019 by   Dietdoctor
  • Jewellery for a Precious You

    Jewellery Precious

    Jewellery is always close to a woman’s heart. It completes her look and boost confidence. Considering the changing trends in jewellery fashion, it becomes... Read more

    The 15 January 2019 by   Dr.jenifer Sayyed
  • Rajshri Productions’ Next Is A Film On Friendship | Hum Chaar | Trailer

    Abhishek Dixit’s debut feature film Hum Chaar is a Bollywood film made under the banner of Rajshri’s film. Hum Chaar is written and directed by Abhishek Dixit. Read more

    The 15 January 2019 by   Themoviean
  • Saint Paul the First Hermit

    Saint Paul First Hermit

    Today is the feast day of Saint Paul the hermit. This is a sweet and delicate Oatmeal Bread topped with rolled oats and naturally sweetened with agave. Saint... Read more

    The 15 January 2019 by   Veronica46
  • Irupathiyonnaam Noottaandu | Teaser | Pranav Mohanlal | Arun Gopy

    Arun Gopy’s Irupathiyonnaam Noottaandu is an upcoming Malayalam action-drama feature film starring Pranav Mohanlal and Zaya David in the lead roles. Read more

    The 15 January 2019 by   Themoviean
  • A Year Of Body Positivity

    Year Body Positivity

    Last January, as I sat there on New Years eve all set to make the same old resolutions I've made year after year for as long as I can remember, I realised how... Read more

    The 15 January 2019 by   Sparklesandstretchmarks
  • Garden Bloggers Bloom Day – Jan 2019

    Garden Bloggers Bloom 2019

    Euphorbia rigidaWhen I went out to take the photos for this blog post I was surprised at how much was in flower dotted around the garden. Read more

    The 15 January 2019 by   Patientgardener