Reddit hack shows even strong security measures can be bypassed

Key Points
  • Reddit suffered a security breach via employees using cloud and source code hosting sites.
  • The attackers were able to bypass strong two-factor authentication measures by "SMS intercept," which involves spoofing cell phone numbers in order to log into employee accounts.
  • The company recently hired its first-ever head of security, a spokesman said on the messaging board and social media website.
Steve Huffman, CEO of Reddit, delivers remarks on 'Redesigning Reddit' during the Web Summit in Lisbon, Portugal, Nov. 8, 2017.
Horacio Villalobos | Corbis | Getty Images

Reddit, one of the most popular sites on the internet, fell victim to a cyberattack in June, the company revealed today, allowing hackers to steal email addresses and passwords of what the company calls a "small number" of users.

The attack happened despite Reddit's use of two-factor authentication, which relies on two separate factors, like a password and an SMS message. In this case, the SMS messages were intercepted, according to the company. The incident will prompt it to move to a stronger "token-based" authentication. Google recently began offering this type of authentication, and says it has successfully been used to ward off attacks like the one Reddit says it fell victim to.

The incident comes at a time when Reddit is trying to change its business model to make money off of its vast audience through targeted advertising, a move that's rankled some members of its community, which have traditionally skewed from support groups to those with shared pornography interests.

Reddit has become one of the five most popular sites on the internet, with more than 330 million monthly visitors, CNBC has previously reported. The company, which raised $200 million at a valuation of $1.8 billion last year, is making a push to sell more advertising in an attempt to reach the kind of business success that other high-traffic social networks, such as Facebook and Twitter, enjoy.

A "serious" attack

The attack, which took place from June 14 to June 18, was "serious" and the attackers were able to access all Reddit data from "2007 and before" including account credentials and email addresses, according to a company executive posting to the Reddit homepage. The spokesperson, who uses the alias KeyserSosa, is Chris Slowe, the Chief Technology Officer of Reddit, the company confirmed.

Stolen information included "a complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007," according to the post. The company also said email digests sent from June 3 and June 17 were accessed.

Most Reddit users will be contacted through private messages or the email address associated with their account, according to the company.

The company has reported the incident to law enforcement and took measures to block "privileged access" to Reddit's systems, according to the statement. Credentials for individuals working with unnamed cloud and source code hosting providers were compromised, the statement said. Attackers not only stole passwords, but intercepted texts to employee smartphones in order to carry out the theft, the statement says.

The incident will lead the company to change from text-based two-factor authentication to token authentication, the spokesperson said.

Two-factor authentication involves individuals getting access to company's systems by at least two different means, by password, and entering a unique code texted via SMS to their smartphone or inserting a smart key device that only the employee holds.

In Reddit's incident, the attackers were able to gain access through the credentials of internal employees, which included deep access to "code and infrastructure," the company said.

"Already having our primary access points ... requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA," the company said.

The statement strengthens the position of companies like Google and Yubi that both offer token-based authentication for corporations and individuals.

"In other news, we hired our very first Head of Security, and he started 2.5 months ago. I'm not going to out him in this thread for obvious reason, and he has been put through his paces in his first few months," Slowe wrote on the Reddit post. "So far he hasn't quit. On a related note, if you'd like to help out here and have a security background, we actually have a couple of open security roles right now."

Those roles, according to Slowe, include:

We see bitcoin going up over the long-term: Reddit's Alexis Ohanian
We see bitcoin going up over the long-term: Reddit's Alexis Ohanian