Reddit reveals major data breach, promises security fix – Info PR

Organizations that don’t invest in robust internet security are going to
face a data breach scandal. It’s just a matter of time.

Reddit became the latest company to reveal that hackers gained access to
private information, including email addresses, user credentials and
private messages. While much of the data was old archival information, some
of the user data was currently active.

Reddit revealed the breach
in a blog post:

On June 19, we learned that between June 14 and June 18, an attacker
compromised a few of our employees’ accounts with our cloud and source code
hosting providers. Already having our primary access points for code and
infrastructure behind strong authentication requiring two factor
authentication (2FA), we learned that SMS-based authentication is not
nearly as secure as we would hope, and the main attack was via SMS
intercept. We point this out to encourage everyone here to move to
token-based 2FA.

For users looking for a less-dense version, the company offered this
summary:

TL;DR
: A hacker broke into a few of Reddit’s systems and managed to access some
user data, including some current email addresses and a 2007 database
backup containing old salted and hashed passwords. Since then we’ve been
conducting a painstaking investigation to figure out just what was
accessed, and to improve our systems and processes to prevent this from
happening again.

[FREE GUIDE:

3 helpful tips for your crisis comms prep]

Noticeably missing from the announcement was any kind of apology. Instead,
Reddit offered actions that it was taking to protect users in the future:

Some highlights. We:

• Reported the issue to law enforcement and are cooperating with their
  investigation.
• Are messaging user accounts if there’s a chance the credentials taken
  reflect the account’s current password.
• Took measures to guarantee that additional points of privileged access to
  Reddit’s systems are more secure (e.g., enhanced logging, more encryption
  and requiring token-based 2FA to gain entry since we suspect weaknesses
  inherent to SMS-based 2FA to be the root cause of this incident.)

A key part of Reddit’s explanation hinges on the use of SMS-based
two-factor authentication (2FA).

Mashable wrote:

So how did this happen? It appears that SMS-based
two-factor authentication
played a key role.

“Already having our primary access points for code and infrastructure
behind strong authentication requiring two factor authentication (2FA), we
learned that SMS-based authentication is not nearly as secure as we would
hope, and the main attack was via SMS intercept,” notes the statement. “We
point this out to encourage everyone here to move to token-based 2FA.”

However, some in the tech industry can’t believe that Reddit wasn’t more
careful.

Wired wrote:

Though the average consumer may not have heard about the dangers of using
SMS in two-factor authentication, the tech community has
known about the risk for a few years. Yet somehow Reddit missed the memo.

Others chimed in on Twitter that 2FA is a bad industry practice:

Reddit got hacked. They were using SMS 2FA. Never use SMS 2FA. Always use an external authenticator. pic.twitter.com/ELBOPwQn7v

— Emptybeerbottle (@Fullbeerbottle) August 1, 2018

For users who have been compromised, Reddit recommends these steps:

If your account credentials were affected and there’s a chance the
credentials relate to the password you’re currently using on Reddit, we’ll
make you reset your Reddit account password. Whether or not Reddit prompts
you to change your password, think about whether you still use the password
you used on Reddit 11 years ago on any other sites today.

If your email address was affected, think about whether there’s anything on
your Reddit account that you wouldn’t want associated back to that address.
You can find instructions on how to remove information from your account on
this
help page.

And, as in all things, a strong unique password and
enabling 2FA
(which we only provide via an authenticator app, not SMS) is recommended
for all users, and be alert for potential phishing or scams.

The breach follows a string of data loss events from major organizations,
including Equifax.

What do you think of Reddit’s crisis response, PR Daily readers?

(Image via)