Reddit, the sixth-most visited website on the internet, has admitted to being hacked by attackers unknown after being compromised by an exploit through SMS-based two-factor authentication.
For four days between June 14 and June 18, hackers managed to breach the website’s cloud hosting and source-code repository accounts of multiple Reddit employees, Reddit revealed in a statement on Wednesday. The breach occurred despite their employee accounts ‘secured’ with two-factor authentication via SMS.
However, the very plausible means of a man-in-the-middle attack was used to steal the SMS tokens, enabling hackers to compromise the staffers’ accounts. Reddit insists that the targeted employees’ phones weren’t hacked.
As a consequence, stolen data includes a backup of the entire website’s database from its launch in 2005 until May 2007, including usernames, hashed and salted passwords, email addresses and all content including public and private messages between users.
In an admission of a serious security lapse, Reddit said in its announcement:
Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Reddit adds it has disclosed and reported the breach to law enforcement, insisting that it is “cooperating with their investigation”.
LIFARS strongly recommends switching to token-based multi-factor authentication over SMSes, since text messages can easily be intercepted by hijackers compromising phone accounts through a multitude of ways.
Image credit: DJANDYW.COM AKA NO/Flickr.