Reddit said someone was able to compromise teams’ accounts on their source and cloud hosting providers, leaving backups, source code, and multiple logs exposed.
As a result, they are notifying some users who maintained accounts on the site before 2007 because their accounts were affected. According to the founding engineers of the site, the incident was discovered on June 19.
Sometime between June 14 and 18, the intruders managed to compromise employee accounts on source and cloud hosting providers by circumventing what were believed to be solid defenses using multi-factor authentication (2FA).
“Having our major access points for code and infrastructure behind strong authentication that requires two-factor authentication, we have learned that SMS-based authentication is not as secure as we expected, since the main attack was via SMS interception. We’ve warned this to encourage everyone to move to Token-based authentication, “they explained.
As a general rule, Reddit required people to use Time-based One-Time Password (TOTP) because it was known that text-based 2FA had problems. “But there are situations where we can not fully apply this to some of our providers, as there are other SMS reset channels that we can not disable through account policy,” they commented.
The attackers were able to gain read only access to backup data, source code, and other records, but could not change any other Reddit information.
Since then, the site has reinforced its security posture, but are contacting users who were impacted by the incident with their email addresses and, in some cases, private messaging exposure.
The backups accessed by the attackers contained a complete copy of an old database, harboring the data from Reddit from 2005 to 2007. That is, anyone who created a Reddit account after 2007 was not affected.
However, the attacker also gained access to records containing e-mail summaries submitted between June 2 and June 17, 2018. Summary emails are basic recapitulations of secure work subnets that a particular user subscribes to, but may connect an email address to a username.
“If you do not have an email address associated with your account, or if your e-mail digests user preference has been cleared during this time, you will not be affected,” they say.
According to the engineers, “If your account credentials have been compromised and there is a chance that credentials will relate to the password you are using on Reddit, we will have you reset the password for your account. If Reddit requests you to change your password, consider whether you still use the password you used on Reddit 11 years ago on any other site today. A strong single password and enable 2FA (which we provide only through an authenticator application, not SMS) are recommended for all users, as well as being alert for possible phishing or scams. “