Social networking site Reddit announced on Aug. 1 that it was the victim of a data breach.
While the data breach that Reddit publicly disclosed was new, the data that attackers stole was not. After managing to bypass the two-factor authentication (2FA) credential of a Reddit administrator, attackers were able to steal an 11-year-old database backup from 2007 that included all user passwords from the time of the site's launch in 2005 through May 2007.
"A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords," Reddit wrote in an advisory. "Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again."
Reddit discovered the breach on June 19, with the initial investigation revealing attackers were able to compromise several employee accounts between June 14 and June 15. The employee accounts that were breached were at source code and cloud hosting providers used by Reddit.
The user passwords that were in the stolen data were all salted and hashed, meaning they were not stored in clear text and will be difficult for an attacker to use. The stolen data also included usernames and email addresses that were not encrypted. Reddit is now in the process of warning users who have not updated their passwords in the past 11 years to reset their credentials.
Of particular note in Reddit's disclosure is how the attackers were able to get access to the employee accounts.
"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Reddit disclosed.
With 2FA, a second factor, or token, beyond just a simple password is needed to get access to a service. With SMS-based 2FA, a one-time password is sent to the user via SMS text message to gain access. The use of SMS for 2FA represents some known risks, as SMS can be intercepted, which is apparently what happened in the Reddit incident. Back in July 2016, the U.S. National Institute of Standards and Technology (NIST) updated its Digital Authentication Guidelines (DAG) warning that SMS-based 2FA was not secure and should not be trusted.
There are a number of options besides SMS-based 2FA, including software-based authenticators that generate one-time passwords. For the consumer-facing side of 2FA, Twitter notably moved beyond SMS-based 2FA in July 2017, adding support for token-based systems including Duo and Authy.
There are also approaches for enabling 2FA via hardware-based mechanisms, such as using a secure key. Google began implementing secure key technology back in October 2014 as a way to provide hardware-based security for its employee accounts. In 2016, Google researchers published an exhaustive study providing evidence of the strong protection that the secure key technology approach provides.
Why 2FA Matters
Although Reddit is assigning blame for its data breach on an SMS bypass of 2FA, it's important to understand why having any form of 2FA is still better than not using 2FA at all.
In the event of a data breach, where usernames and passwords are stolen, without 2FA an attacker can potentially get access to a victim's account without an additional challenge. With 2FA of any sort in place, an attacker has to work harder and needs to respond to the 2FA challenge to get access.
While SMS is not as secure as other 2FA approaches, it still makes attacks more challenging, as not every attacker will have the time or resources to intercept SMS messages. That said, implementing token-based systems for 2FA is becoming increasingly easier, with the availability of third-party technologies and the emerging WebAuthn standard. With WebAuthn, which was announced on April 12, there is a set of standards for defining strong (non-SMS) based authentication that can be integrated into security keys, as well as other devices, and will be supported via major web browsers.
So SMS-based 2FA is better than nothing, hopefully in the aftermath of the Reddit disclosure, more organizations will choose to move to more secure forms of 2FA.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.