Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

The Real Takeaways From the Reddit Hack

There Are Significant Differences Between Each 2FA Method, and the Risks it Poses

There Are Significant Differences Between Each 2FA Method, and the Risks it Poses

On August 1st, US-based social news aggregation, web content, and discussion website, Reddit.com disclosed a data breach whose full impact has yet to be determined. Reddit said the breach was discovered on June 19th ― four days after the hacker(s) compromised several employee accounts at its cloud and source code hosting providers.

It’s common practice for cyber adversaries to camouflage their attacks by leveraging compromised credentials and in that regard, the Reddit hack was no exception. However, the fact that the cyber-attackers were able to bypass the SMS-based two-factor authentication Reddit leveraged to protect their employees’ accounts, was a wake-up call for many in the industry. 

Reddit is the fifth-most visited website in the US and among the top 20 worldwide. One of the reasons it has become the world’s leading message board is it allows users to remain anonymous to freely discuss controversial topics and post questionable images. As a result, Reddit is often used to spread conspiracy theories and disinformation campaigns, including those tied to the Russian-based social media influencer operations in the 2016 Presidential elections.

Causing Impact Beyond the Core Data

According to Reddit, the attack exposed some internal data (e.g., source code, logs, configuration, and other employee workspace files), as well as email addresses, salted hashed passwords, and content belonging to Reddit users who registered accounts prior to May 2007. In addition, email addresses of some users who had signed up to receive daily email digests of specific discussion threats were exposed. 

All email addresses connected to Reddit user names could be used to link anonymous accounts to people’s identities, causing potentially serious consequences and allowing for blackmail. A similar data breach at Ashley Madison in 2015 exposed the email addresses and usernames of more than 33 million users seeking extramarital affairs. The Ashley Madison hack and subsequent leak of user information resulted in divorces and reportedly two suicides.

Reddit and Ashley Madison are not the first online service providers to be compromised. The long list includes breaches at Equifax, AdultFriendFinder, and Yahoo! which exposed personal data of billions of accounts. The common thread linking these breaches was bad actors targeting the weakest link in the security chain, compromising end user or administrator credentials. In many cases hackers are now shifting their focus and compromising accounts belonging to individuals in the target company’s supply chain to subsequently make lateral movements and extract data.

Advertisement. Scroll to continue reading.

However, what stood out in the Reddit case was the fact that the compromised employee accounts were protected by SMS-based two-factor authentication (2FA), immediately raising questions about the validity of this security method.

No 2FA vs. 2FA

Two-factor authentication or two-step verification, is an additional layer of security that requires not only a password and username, but also something that only the user has (e.g., a device) or something the user represents (e.g., fingerprint). Obviously, in today’s world of increasing online crime and fraud, 2FA is meant to prevent hackers from leveraging compromised user credentials, as they cannot log into the user account unless they also possess the second factor. This explains why more and more online services are making 2FA a default feature. 

However, there are significant differences between each 2FA method, and the risks it poses. By Reddit’s own admission, “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”

It’s well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. Instead, NIST is propagating the use of either application-enabled or hardware-based security keys that are leveraging the FIDO standard. 

For example, Google has apparently eliminated phishing by giving security keys to all of its 85,000 employees. The hardware-based security key is used by the user to complete the login process simply by inserting a USB device.

Lessons Learned

The Reddit data breach is the latest reminder that security professionals need to keep pace with technology advancements to counter bad actors’ innovations in attack methodologies. While SMS-based two-factor authentication was sufficient a decade ago, it is no longer foolproof.

In addition to using advanced two-factor authentication methods, organizations should consider risk-based authentication powered by machine learning to detect abnormal user behavior. This approach can enforce appropriate responses when risky behavior is detected such as automatically blocking access or challenging the user with a step-up authentication request.

Ultimately, the Reddit data breach illustrates the importance of rolling out a Zero Trust Security approach designed to verify the user, validate their device, limit access and privilege, and learn and adapt to new risks.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.