Episode 7: Reddit Data Breach
Nikoloz discusses the latest Reddit data breach and how this social media gem has communicated the incident with to over 300 million users. Stay tuned for the experience!
Other ways to listen:
Reddit’s systems have been accessed by a hacker, who managed to get his or her hands on some user’s data including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Attack was discovered on June 19th and since then reddit had been conducting a heavy investigation to figure out just what was accessed, and to improve their systems and processes to prevent this from happening again.
On June 19, reddit’s stuff has learned that between June 14 and June 18, an attacker compromised a few of their employees’ accounts with cloud and source code hosting providers. Reddit openly speaks about incidents and acknowledges that SMS-based authentication is not a secure method, because the attack was carried out via SMS interception. Company also urges everyone to switch to token-based 2FA.
Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and company has taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance their logging and monitoring systems.
Reddit also provides details about the data that has been accessed by attacker.
So, there are two main data parts to this story. One - a
The first one contains basically a complete copy of an old database backup, including username and salted hashed passwords, email addresses and other content such as upvotes, comments and even private messages (however I guess not so many people use reddit for private messaging).
The email digest data contains the logs of digests that were sent between 3rd of June and 17 of June of 2018. So, to be clear on this, the logs contain emails themselves and the digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits users are subscribe to.
Beside providing the data about what was breached, Reddit provides more information to its users about how to know if their information was included in those two data types.
Company is sending out reddit messages to affected users and reset their passwords on accounts where the credentials might still be valid. But keep in mind that if you signed up for Reddit after 2007 you have nothing to worrying terms of old database breach part. Also, good thing is that if you do no use emails for reddit after 2007 then most likely you are good in this part as well you would not be receiving those digest at all.
Data breach does not end here, since the attacker had read access to storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files. However, reddit assures users that these parts should not contain user data.
Reddit also provides some information about what they are doing and what users shall do. Company has reported reported the issue to law enforcement and are cooperating with their investigation, I guess that’s the first thing you do if you find out about the data breach, since laws of many countries require such measures. As mentioned before reddit is also sending out messages to those users who might have been affected. Also, the social media unicorn has learned the power of token based 2FA the hard way and took measures to guarantee that additional points of privileged access to Reddit’s systems are more secure by enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.
Apparently 2.5 months ago reddit has hired their first Head of Security, so I definitely do not wish to be in his shoes right now. It probably was not the best start for the position, but I do not think that he would have an opportunity to improve security measures in such short period. But we can praise reddit for public communication.
Reddit strongly recommend to use token based 2FA and I definitely suggest to use a password manager for generating unique passwords for different websites, and if you are not already doing it, make sure that passwords used ono reddit are not used on other favorite websites.
Despite the data breach I believe that reddit communicated properly with users, they also continued answering user comments on the thread. Also, I think we have a good reason to believe that company has learned something during this incident and we should hope that they will successfully implement additional security measures as discussed before.
Don't forget to subscribe below, stay up-to-date with latest podcasts and other developments!
If you find this content useful, feel free to share it with your friends and family. Owls love humans, so if you want to keep in touch make sure to sign up for CypherOwl Newsletter. Let me know what you think from the comments section below.