A few days ago, Reddit announced that they had been the victim of an elaborate hack attack and data breach. The attackers accessed the email digests from August 2018 and the entire 2007 database backup. The backup included old salted and hashed user passwords, usernames and their email addresses. The attackers also compromised a few Reddit employee accounts by intercepting the SMS used in two-factor authentication (2FA).
Although our knowledge about the attack is limited to what Reddit has disclosed, we can still analyze the incident from a web security perspective.
Storing Hashed and Salted Passwords
Protecting passwords by employing salted password hashing is a web security measure that really pays off in the event of a website breach. This tactic makes it more difficult for attackers to retrieve them in a usable form, providing that the passwords are strong enough. In case users use the same passwords for other accounts, this prevents attackers from taking over the accounts on those platforms as well.
Reddit announced that if users are found to be actively using the same hashed passwords as the stolen ones, they will be asked to reset them. Regardless, users are advised to change their passwords as a safety measure if they’ve been using the same one since 2007 (refer to our customer survey on online risky behaviour for more information on how end users use passwords etc).
Two-Factor Authentication and Multi-Factor Authentication (MFA)
Reddit employees were right in enabling 2FA to secure their login process. Two-Factor Authentication is an additional authentication feature that requires the user to provide a proof of knowledge, possession or inheritance by using one or more of the following:
- Knowledge - something the user knows (password, PIN code)
- Possession - something the user has (telephone, OTP, Token Generator)
- Inherence - something the user is (biometrics, fingerprints)
The interception of SMS text messages, using techniques such as SIM-swapping or abusing weaknesses in the SS7 protocol, has been practised by criminals for quite a while.
Following this recent incident, Reddit also announced that they will get rid of SMS-based Two-Factor Authentication in favor of token-based 2FA. Users will need to enter a token generated by an authenticator application (usually installed on their phone) in place of the SMS verification code, as part of their secure login process.
An Excellent Example of Proper Logging and Monitoring
Perhaps the most controversial item on the OWASP Top 10 List for 2017 was the Insufficient Logging and Monitoring category. A similar category is listed in the OWASP Proactive Controls List - Implement Logging and Intrusion Detection. While the implementation of the logging mechanism is listed as a recommended measure in the Proactive Controls list, the improper implementation of this mechanism is listed as a vulnerability in the Top 10 list.
Keeping in mind that the average time between a successful attack and its detection is no less than a whopping 191 days, Reddit did a pretty impressive job by uncovering the attack on June 19 - only about 1-4 days after the attack (June 14-18) took place.
For further information on the attack, see the full Reddit announcement.