Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

The Real Takeaways From the Reddit Hack

There Are Significant Differences Between Each 2FA Method, and the Risks it Poses

There Are Significant Differences Between Each 2FA Method, and the Risks it Poses

On August 1st, US-based social news aggregation, web content, and discussion website, disclosed a data breach whose full impact has yet to be determined. Reddit said the breach was discovered on June 19th ― four days after the hacker(s) compromised several employee accounts at its cloud and source code hosting providers.

It’s common practice for cyber adversaries to camouflage their attacks by leveraging compromised credentials and in that regard, the Reddit hack was no exception. However, the fact that the cyber-attackers were able to bypass the SMS-based two-factor authentication Reddit leveraged to protect their employees’ accounts, was a wake-up call for many in the industry. 

Reddit is the fifth-most visited website in the US and among the top 20 worldwide. One of the reasons it has become the world’s leading message board is it allows users to remain anonymous to freely discuss controversial topics and post questionable images. As a result, Reddit is often used to spread conspiracy theories and disinformation campaigns, including those tied to the Russian-based social media influencer operations in the 2016 Presidential elections.

Causing Impact Beyond the Core Data

According to Reddit, the attack exposed some internal data (e.g., source code, logs, configuration, and other employee workspace files), as well as email addresses, salted hashed passwords, and content belonging to Reddit users who registered accounts prior to May 2007. In addition, email addresses of some users who had signed up to receive daily email digests of specific discussion threats were exposed. 

All email addresses connected to Reddit user names could be used to link anonymous accounts to people’s identities, causing potentially serious consequences and allowing for blackmail. A similar data breach at Ashley Madison in 2015 exposed the email addresses and usernames of more than 33 million users seeking extramarital affairs. The Ashley Madison hack and subsequent leak of user information resulted in divorces and reportedly two suicides.

Reddit and Ashley Madison are not the first online service providers to be compromised. The long list includes breaches at Equifax, AdultFriendFinder, and Yahoo! which exposed personal data of billions of accounts. The common thread linking these breaches was bad actors targeting the weakest link in the security chain, compromising end user or administrator credentials. In many cases hackers are now shifting their focus and compromising accounts belonging to individuals in the target company’s supply chain to subsequently make lateral movements and extract data.

However, what stood out in the Reddit case was the fact that the compromised employee accounts were protected by SMS-based two-factor authentication (2FA), immediately raising questions about the validity of this security method.

No 2FA vs. 2FA

Two-factor authentication or two-step verification, is an additional layer of security that requires not only a password and username, but also something that only the user has (e.g., a device) or something the user represents (e.g., fingerprint). Obviously, in today’s world of increasing online crime and fraud, 2FA is meant to prevent hackers from leveraging compromised user credentials, as they cannot log into the user account unless they also possess the second factor. This explains why more and more online services are making 2FA a default feature. 

However, there are significant differences between each 2FA method, and the risks it poses. By Reddit’s own admission, “we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”

It’s well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. Instead, NIST is propagating the use of either application-enabled or hardware-based security keys that are leveraging the FIDO standard. 

For example, Google has apparently eliminated phishing by giving security keys to all of its 85,000 employees. The hardware-based security key is used by the user to complete the login process simply by inserting a USB device.

Lessons Learned

The Reddit data breach is the latest reminder that security professionals need to keep pace with technology advancements to counter bad actors’ innovations in attack methodologies. While SMS-based two-factor authentication was sufficient a decade ago, it is no longer foolproof.

In addition to using advanced two-factor authentication methods, organizations should consider risk-based authentication powered by machine learning to detect abnormal user behavior. This approach can enforce appropriate responses when risky behavior is detected such as automatically blocking access or challenging the user with a step-up authentication request.

Ultimately, the Reddit data breach illustrates the importance of rolling out a Zero Trust Security approach designed to verify the user, validate their device, limit access and privilege, and learn and adapt to new risks.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...