Reddit says hacker breached system 2 months ago

[ItsMitch]

S: Reddit

 

Summery 

• When this happen? 2018
• What got taken? salted passwords n emails
• How? Attacked used SMS Intercept to hijack the Reddit Admin account 2FA credentials

 

Reddit confirmed today in an announcement they had suffered a security breach all the way back in June 2018 . What was stolen? Eh, nothing huge, a database that held emails and salted passwords.

 

2007 data taken:

Quote

All Reddit data from 2007 and before including account credentials and email addresses

• What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
• How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.

2018 data taken

 

Quote

Email digests sent by Reddit in June 2018

• What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves -- they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
• How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.

Whats next?

• Reddit will continue to work with it's cloud providers to monitor the situation closely. 
• Reddit has confirmed it's working with all authorities on the matter and that it'll be fully cooperative with the law enforcement.
• It'll be contacting all effected users and will be issuing account password resets
• Took measures to guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.)

Of course Reddit highly recommends enabling 2FA (and they do provide an app for it) for all users and of course to be aware for any potential phishing scams out in the wild. 

[Brainless906]

From what i read the hack happened in 2018 only, and the only mention of 2007 was the data they got into were backups that were dated 07 and older.

 

Quote

On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers.

This is the only mention of timeframe, and presumably this is june 14-18 of 2018.

[Shreyas1]

So some people haven't changed their password in 11 years?

[ItsMitch]

9 minutes ago, Brainless906 said:

From what i read the hack happened in 2018 only, and the only mention of 2007 was the data they got into were backups that were dated 07 and older.

 

It appears that the lack of hot chocolate this morning appears to be fumbling the fuck out of my mind, updated (i think)

4 minutes ago, Shreyas1 said:

So some people haven't changed their password in 11 years?

it seems so 

[Taf the Ghost]

6 minutes ago, Shreyas1 said:

So some people haven't changed their password in 11 years?

Old accounts that are inactive are extremely valuable. Reddit Influence Campaigns are the main way to make money off Reddit right now. Most of the major reddits are controlled by astroturfing groups, as it stands. 

[Andreas Lilja]

6 hours ago, Shreyas1 said:

So some people haven't changed their password in 11 years?

It's Reddit, what's the worse that can happen. Unless you post to gonewild or whatever.

[ScratchCat]

No need to worry - Yahoo "released" account details which could be used to compromise the account easily a while ago.

 

I almost feel sorry for the hacker - they put a ton of effort into this and only get data from before 2007.

[Granular]

I was wondering why phone based 2FA is considered anything more than a band-aid.

I trust email to deliver information to me securely more than I do text messages.

[vanished]

Why is this being called a hack?  Sounds to me like someone managed to get the admin login details and then just walked in and took stuff.  It's not like he actually found and exploited security holes in the server or something.

[mynameisjuan]

Just now, Ryan_Vickers said:

Why is this being called a hack?  Sounds to me like someone managed to get the admin login details and then just walked in and took stuff.  It's not like he actually found and exploited security holes in the server or something.

Very few "hacks" are people using exploits. Breaches 99% of the time are because someone got someones password. 

[vanished]

1 minute ago, mynameisjuan said:

Very few "hacks" are people using exploits. Breaches 99% of the time are because someone got someones password. 

Yeah that seems to be the case.  I can't really call that a "hack" though, gives the attack far too much credit.  It's like saying someone broke into your house and bypassed your security system when in fact you left the key and the code on a note outside the front door and someone just took them and strolled in.

 

And on that subject, why was the admin of all people using SMS 2fa?  Does the site not support anything better?  If so, that's pathetic and they should be ashamed of themselves as it's well known and well documented that SMS is not even close to a safe and effective way to deliver 2fa codes.  If they do offer something better, why wasn't he/she using it?  That's just incompetence... in fact, if anything more important was done on that site (credit card info, other personal data), one could even say without really making a stretch that it's criminal incompetence due to the risk they put their userbase at.

[mynameisjuan]

2 minutes ago, Ryan_Vickers said:

why was the admin of all people using SMS 2fa? 

There is nothing wrong with SMS 2fa. The problem with the technology is the telecoms and your popularity. Everyones info is out there and the more popular you are the more details too. SMS 2fa is more than enough for the average joe. 

 

But yes, the big names should use other forms of authentication. 

[vanished]

5 minutes ago, mynameisjuan said:

There is nothing wrong with SMS 2fa. The problem with the technology is the telecoms and your popularity. Everyones info is out there and the more popular you are the more details too. SMS 2fa is more than enough for the average joe. 

 

But yes, the big names should use other forms of authentication. 

Technically speaking, yeah I suppose so but guess which of those is easier to fix.  I'm taking a pragmatic approach to this and the very easy solution is to not use SMS because of the issues you mentioned.  And it's not just high profile people any more either, these kind of attacks are more and more being used against "average joe" as well.  All it takes is a desirable username or some other petty interest and they become a target as well.

[mynameisjuan]

3 minutes ago, Ryan_Vickers said:

Technically speaking, yeah I suppose so but guess which of those is easier to fix.  I'm taking a pragmatic approach to this and the very easy solution is to not use SMS because of the issues you mentioned.  And it's not just high profile people any more either, these kind of attacks are more and more being used against "average joe" as well.  All it takes is a desirable username or some other petty interest and they become a target as well.

Well I mean the telcos should get their shit together before blaming the tech. 

[vanished]

2 hours ago, mynameisjuan said:

Well I mean the telcos should get their shit together before blaming the tech. 

Getting their shit together would require completely scrapping the entire system and redesigning it from the ground up so while I seriously would love to see that happen, I'm not going to hold my breath

[mynameisjuan]

1 minute ago, Ryan_Vickers said:

Getting their shit together would require completely scrapping the entire system and redesigning it from the ground up so while I seriously would love to see that happen, I'm not going to hold my breath

Redesign? All they have to do is not accept first name as "proof of identity " and let the caller go rampant. 

[vanished]

10 minutes ago, mynameisjuan said:

Redesign? All they have to do is not accept first name as "proof of identity " and let the caller go rampant. 

The problem is the entire system is "open" and designed with people rather than actual security at the core.  A worker with the right credentials can do whatever they want, they're just on their honour to ask for and verify the right information before taking any actions (and too often, they don't even do that).  This is fundamentally flawed.  Consider the difference between a file that's actually encrypted, and a file protected by a program an elementary school student made for fun that, when run, prompts you for a password, and if provided, opens a hidden folder on the computer where the file is stored (but of course, if you knew where it was you could just go to it manually).  In this analogy, the redesigned system I'm proposing would work like the encrypted file, and the system we have now is like the kid's program.  It's a complete joke and with so many modern systems and accounts using phones as a secure and reliable identifier, which they are not, it's all the more important that this change be made - and in the mean time, that people avoid the system entirely for things that can actually be counted upon.

 

Getting the workers to properly identify people before giving up accounts is just a band-aid on a wall that's already full of holes.  To truly fix the problem, it needs to work like accessing an encrypted hard drive - it should be impossible for anyone to do it without the right credentials.

[mynameisjuan]

2 minutes ago, Ryan_Vickers said:

The problem is the entire system is "open" and designed with people rather than actual security at the core.  A worker with the right credentials can do whatever they want, they're just on their honour to ask for and verify the right information before taking any actions (and too often, they don't even do that).  This is fundamentally flawed.  Consider the difference between an a file that's actually encrypted, and a file protected by a program an elementary school student made for fun that, when run, prompts you for a password, and if provided, opens a hidden folder on the computer where the file is stored (but of course, if you knew where it was you could just go to it manually).  In this analogy, the redesigned system I'm proposing would work like the encrypted file, and the system we have now is like the kid's program.  It's a complete joke and with so many modern systems and accounts using phones as a secure and reliable identifier, which they are not, it's all the more important that this change be made - and in the mean time, that people avoid the system entirely for things that can actually be counted upon.

Its still a problem with telcoms not giving a shit who calls in to make a change. Its still better protection than just a password no matter how much people think its not.

[vanished]

Just now, mynameisjuan said:

Its still a problem with telcoms not giving a shit who calls in to make a change. Its still better protection than just a password no matter how much people think its not.

Well yes, something (ie, actually doing their job) is better than nothing (just giving it to whoever), but I'm saying that even that is not what it should be.