Interesting that the data accessed was very specifically only limited to:<p>* A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007<p>* Logs containing the email digests we sent between June 3 and June 17, 2018<p>Also of note:<p>"Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept."<p>If this doesn't put the nail in the coffin of SMS-based 2FA, I'm not sure what will.
The hacker(s) took a database backup from 2007. I have never worked anywhere that has kept a backup that long. It is possible it is some sort of final archive before a large migration, redesign, or something like that. However if the intent is to keep it forever it should at least be encrypted. As far as I'm aware, the only strong reason to not enable encryption on backups is to allow a secondary backup or mirroring system to compare the changes between backup files rather than reprocessing the entire thing as a single new file. That reason disappears for an archived backup.
While everyone is piling on how SMS 2FA is oh so bad, it is worth noting that it is supposed to be the second factor here. So what happened to the first factor is the obvious question. Someone was using weak/compromised password or got social engineered would be my guesses, neither which are very good options.
This incident report glosses over the depth of what access was given to focus on the user data that was compromised... but it sure seems like they got pretty deep:<p>* A complete copy of an old database backup containing user data from launch in 2005 through May 2007 including:<p><pre><code> -usernames,
-salted/hashed passwords,
-e-mails,
-all content including private messages
</code></pre>
* Reddit source code<p>* Internal logs<p>* configuration files<p>* other employee workspace files [?]
The scary part of this is probably for people that had accounts on reddit in 2007 but later deleted them, or just completely forgot they existed. Reddit's not going to be able to contact the owners of those accounts.<p>Did you have an account 11 years ago? Did you vote on anything embarrassing, or send any compromising messages? How sure are you?<p>I don't even know the answer to those questions for myself.
If the logs contained IP addresses, they could be used to correlate multiple accounts, leading to throwaway accounts being doxxed.<p>It doesn't sound like IP address data was compromised, but I wouldn't be surprised.
Alright, 2FA tokens came up the other day on HN and now we have this. Time to make the switch.<p>Yubikey 4 / Feitian looks interesting, but it seems it only works in Chrome with Gmail etc. etc.<p>Anyone have any thoughts on solutions that include Safari on Mac and/or iOS? The NEO claims NFC support but I doubt that works on iOS.
For what reason was a decade old backup kept online for? That is insane. If they have hygine that poor I'm really worried about what other problems they have.
If you are using SMS based 2FA, understand the risk:. "Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."
In comment from the admin: « In other news, we hired our very first Head of Security, and he started 2.5 months ago. » No comment.<p>«Old salted and hashed passwords» This sentence mean: All hashed were readable. It also mean, if they are still needed on their servers, that they are probably still in use. It would had been easy to salt this hashes.<p>First fix holes, then redesign...
SMS is not about securing an account. It's only use is as a proof of work (money) to make it harder/more expensive to make a bot account.<p>Using it as a security measure is a mistake.
I got the alert to change my PW. I had had the same PW for 12 years!<p>Edit: 12 years, not 13.<p>-------------------------------<p><i></i><i>Account credentials from 2007 compromised</i><i></i><p><i></i><i>from reddit</i><i></i><p><i></i><i>[A] sent 35 minutes ago</i><i></i><p><i></i><i>Hi,</i><i></i><p><i></i><i>TL;DR: As part of the security incident described here, we've determined that your account credentials may have been compromised. You'll need to reset your password to continue using Reddit. Details below.</i><i></i><p><i></i><i>On June 19, Reddit was alerted about a security incident during which an attacker gained access to account credentials from 2007 (usernames + salted password hashes).</i><i></i><p><i></i><i>We're messaging you because your Reddit account credentials were among the data that was accessed.</i><i></i><p><i></i><i>If there's a chance the credentials relate to your current password, we'll prompt you to reset the password on your Reddit account. Also, think about whether you still use the password you used on Reddit 11 years ago on any other sites today. If there's a chance the credentials relate to the password you're currently using on Reddit, we'll make you reset your Reddit account password. You can find more information about the incident in the announcement post linked above. If you have other questions not answered there, feel free to contact us at contact@reddit.com.</i><i></i>
Would someone kindly explain how a SMS can be intercepted during 2FA and how/why tokens otoh are safer?<p>A friend and I were brainstorming the design of a fraud prevention app/startup just this week and we naively thought SMS would be the way to go. Yikes!
How does SMS interception actually work in practice? Wouldn't this require physical access to the phone/SIM, or are there any known remote exploits?
So what's to stop a hijacker persuading the website to take off 2FA or switch you from TOTP to SMS.<p>Seems just as possible as hijacking your phone.
SMS hijacking? Really?<p>How is it that Reddit’s security team is continually learning security lessons that have been common knowledge among non-technical people for 5+ years? They seem to treat their production systems more carelessly than the average person treats their Nintendo switch account.