Social news aggregation site Reddit has reported that hackers managed to access a database containing users’ email addresses and hashed passwords. The Reddit data breach has raised concerns about the use of SMS-based two-factor authentication as a security measure.
The breach occurred between the 14 and 18 June 2018. Hackers obtained a copy of an old database containing early Reddit user data from 2005 through to May 2007.
Accessed data included usernames, salted hashed passwords and email addresses. The social site is popular for using aliases, leading to fears that users could become identifiable.
The incident also exposed current email addresses of some users who had signed up to receive email digests.
Travis Biehn, technical strategist at Synopsys, warned that the passwords may be at risk of decryption.
“Even though these passwords are salted and hashed, modern password hash cracking techniques can quickly recover over 90% of original password values,” he said.
“In fact, around 60% of a corpus can be recovered in as little as 3 hours on less than $10,000 worth of hardware.”
In a statement published on the site, Reddit said:
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
What is SMS two-factor authentication?
Two-factor authentication, also known as 2FA, requires a piece of unique information in addition to a username and password.
This is often a one-time verification code sent via an SMS text message. It prevents hackers from gaining access with just a username and password. However, the Reddit data breach shows that there are vulnerabilities.
In their statement, Reddit encouraged people to move to a token-based system that does not use SMS authentication.
Joseph Carson, chief security scientist at Thycotic, said:
“The hack at Reddit is a reminder that when protecting sensitive data by choosing 2FA in addition to a password, it is important to know that not all 2FA offers the same security; for example, the difference between using SMS-based authentication and token-based authentication.
“It looks like Reddit needs to raise the priority on implementing the model of least privilege and privileged access security controls, as this breach shows that the accounts compromised had ‘read’ access to storage systems including source code, logs and configurations.”
Carson added that he was “concerned” that Reddit seems to be playing down the data breach. The BBC reported that Reddit has refused to disclose the scale of the breach.
Why is SMS-based authentication vulnerable?
Craig Young, a security researcher at Tripwire, said that it was unusual to see SMS-based two-factor authentication being used outside of financial fraud.
He explained that SMS-based verification tokens can be stolen using techniques such as social engineering, mobile malware or by directly intercepting and decrypting signals from cell towers.
“The most common technique is most likely the use of smartphone malware, which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user but this seems less likely in such a targeted campaign,” he said.
A less technical method is to call the network provider and convince them to transfer the phone number to a new SIM.
Reddit has said the hackers gained access via SMS intercept. This involves hackers intercepting and decrypting SMS messages that are sent over the same network coverage. According to Young, this can be done with “just a couple hundred dollars of equipment”.
“The moral of this story is that SMS based two-factor authentication should not be considered “strong” in the face of a determined attacker,” he said.
It is unclear whether the breach will be subject to GDPR. An ICO spokesperson said: “We are aware of an issue concerning Reddit and will be looking to ascertain the scale and extent of any potential impact on UK citizens.”