Nobody panic, but Reddit has been hacked (and it was hilariously easy)
Might want to change those passwords, folks.
Yes, you read that correctly. It would appear that “the front page of the internet” is no longer a safe space where well-meaning individuals can engage in respectful discussion, hijack PR campaigns to give whales goofy names, and manipulate Google’s algorithm to make fun of Donald Trump without fear of persecution.
That’s according to Reddit chief technology officer Christopher Slowe, at least, who announced via a blog post that the fifth most popular site on the internet had been breached by a hacker on Wednesday morning.
On June 19, we learned that an attacker compromised a few of Reddit’s accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes. We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future. A small number of users were affected and have been notified.
Among the data compromised during the breach, according to the statement, was a 2007 data backup and the “email digest” logs from June 3 to June 17, 2018. While the former obviously only effects those who had a member account in Reddit’s early days (and the only people who might be drawn to its newly-introduced chatroom), the latter is essentially a Mission Impossible-style NOC list connecting user accounts to the corresponding email addresses. In an era where bot accounts are already being suppressed across all social media platforms by the millions, a breach like this could make account manipulation easier than ever — and harder to detect.
That’s not to even mention the compromises to “Reddit source code, internal logs, configuration files and other employee workspace files” that also occurred, according to Slowe.
So what kind of hacker extraordinaire could be capable of outsmarting the security of a $1.8 billion-evaluated company? Well, pretty much anyone who knows a thing about 2-factor authentication, it turns out. Wired offers a breakdown of Reddit’s laughably easy security protocol.
Attackers got into Reddit’s systems by compromising some employee administrative accounts for company cloud storage and source code storage. Slowe notes in the blog post that the employees were using two-factor authentication to protect these crucial accounts, but some number of them had that layer of protection set up with SMS—meaning someone would need a code texted to their mobile number to complete an account login. The problem is that SMS-based two-factor is known to be insecure, because attackers can launch a “SIM swapping” attack to take control of a user’s SIM card and all the data coming to their phone number.
Or as Kenn White, director of the Open Crypto Audit Project, puts it, “A high-value property like Reddit secured with some dude’s mobile number is no bueno.”
No bueno indeed, Kenn. No bueno indeed.
Although Reddit has sent an email to all its affected users immediately following the breach, Slowe is still recommending that any and all users change their passwords and consider switching to two-factor identification on their accounts. You know, because that worked so well in the recent past.
What do you think? Did you change your password? Let us know below.
For more tech news, check out:
- Spotify has now pulled several episodes of Alex Jones’ podcast for, you guessed it, hate speech
- Here’s when we should expect the new 2018 iPhones, according to math and history
- The Samsung Galaxy Tab S4 is here and it has its sights set on the iPad Pro