Reddit, the online chat board got slightly out of hand in a Wednesday mea culpa and turned out to be the sixth most visited website, has acknowledged it was invaded by unknown attackers.
Specifically from June 14 to June 18, troublemakers accomplished to enter into the cloud hosting of the website and source-code source accounts of different Reddit employees, in spite of their accounts being sealed down with two-factor verification via SMS. It appears at this step as though a man-in-the-middle threat was practiced to seize the SMS tokens, permitting the accounts to be taken over. The staffers’ phones themselves weren’t attacked, it is demanded.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” the Reddit team said in a statement on Wednesday. “We point this out to encourage everyone here to move to token-based 2FA.”
El Reg also extremely encourages hardware tokens for multi-factor verification somewhat than SMSes. Text messages can, for instance, be interrupted by scum-bags takeover phone accounts in so-called port-out swindles, or through SS7 scams, or through browser-based threats, or possibly snooped over the air. In this occurrence, it is not recognized precisely how the login SMSes were seized – they could have been phished, in the end.
The hackers achieved to steal a backup database of stats that was succumbed to the website from its inauguration in 2005 until May 2007, containing usernames, passwords; though these were salted and confused, email addresses, and entire content containing public and private messages.
That appears bad, but, there are justifying factors. Reddit wasn’t that large for the initial year or so of function, and the founders have acknowledged that quite many of the accounts were sock puppets planned to determine primary traffic. The damage of private messages may be more severe, while they are completely older over a decade.
Reddit also supposed that few email sent out among June 3 and June 17 have been theft, presenting which safe-for-work sub-reddits few email addresses were ensuing. Affected users will be communicated by the biz if they were trapped up in the stealing. The report also indicates that the Reddit basis code, inner logs, formation files, and other employee workstation files were retrieved.
“In other news, we hired our very first Head of Security, and he started 2.5 months ago,” said Reddit CTO Christopher Slowe. “I’m not going to out him in this thread for obvious reasons, and he has been put through his paces in his first few months. So far he hasn’t quit.”