show image

Reddit comes under fire for refusing to reveal the size of its breach

Reddit has come under fire for refusing to reveal the size of a data breach carried out by cyber criminals in June.

The site, dubbed the homepage of the internet, admitted that hackers successfully infiltrated a handful of employees’ administrator accounts last month and proceeded to steal user data. But, in an unusual move, Reddit has not yet disclosed how many people’s information was stolen during the breach.

In a blogpost published last night, the company said that the breach involved two datasets. The first included “account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from [2007]”. It’s expected that this is the smaller set given that Reddit was in its infancy when this data was collected.

The second set contains “the email digests we sent between June 3 and June 17, 2018”. This data also includes email addresses linked to usernames, potentially revealing the identity of Redditors who use pseudonyms. While the company said it would be contacting those affected by the historic breach, it did not promise to do the same for those caught up in the recent breach.

“They are are putting the onus on the users,” said Alan Woodward, a professor of cyber security at Surrey University. “It’s user-blaming.” GDPR, a sweeping set of data protection regulations that came into effect in May, mandates companies to inform their users if their data has been affected in a data breach.

Woodward also raised concerns about the company’s decision not to disclose the number of users affected by the breach. He said: “They seem to be trying to underplay it all and I don’t understand why.”

Reddit revealed that the hackers had gained access to its systems by intercepting its SMS-based two-factor authentication: “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

Tripwire’s Craig Young said the attack illustrated that SMS-based two-factor authentication is not a perfect form of security. “Although any form of multi-factor authentication is a considerable improvement on simple password models, SMS based verification tokens can be stolen with a variety of well-known techniques including social engineering, mobile malware, or by directly intercepting and decrypting signals from cell towers.”

He added: “The most common technique is most likely use of smartphone malware which automates the process of stealing passwords and obtaining verification codes while obfuscating the activity from the end-user but this seems less likely in such a targeted campaign.

“Another possibility is that the attackers exploited well-known weaknesses in the Signaling System No 7 (SS7) protocol which is at the heart of modern telephony routing or that they simply called up the victim’s cellular provider and convinced them to transfer the phone number to a new SIM.”

Reddit has been contacted for comment.