Hacker breaks into Reddit systems via SMS-based 2FA

Reddit, a popular social news aggregation and discussion website, suffered from a security breach between June 14 and June 18 of this year. The incident was discovered on June 19 and linked to weaknesses in SMS-based two-factor authentication (2FA). 

Christopher Slowe, Reddit’s CTO and Founding Engineer (“KeyserSosa”), commented on the incident:

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.”

Slowe further added SMS was the crux of the breach: 

“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

The company said that the attacker gained read-only access to systems and data, such as backup data, some current email addresses, source code and other logs. 

As readers may be aware, the National Institute of Standards and Technology (NIST) published in June 2017 its “Digital Identity Guideline” (NIST Special Publication 800-63B) warning security practitioners to move away from SMS-based 2FA.

The NIST identity and authentication guideline first surfaced as a draft in July 2016, citing lack of security around SMS feature. 

Users are strongly encouraged to use token-based 2FA, such as Google’s Authenticator or Authy apps, that use the Time-based One-Time Password (TOTP) protocol.

2FA enables users to increase security of their web application and system logins as it requires an additional one time password to be entered, on top of their normal login/password combination.