Have You Reddit?

On the 1st of August a hugely popular website, Reddit, announced that it had been hacked.

If you’ve not seen it, Reddit is a vaguely social network (explored further below) where registered members can post links, news and discuss almost anything on a series of message boards. Users need an email address and password but are seemingly anonymous to the rest of the world. Users can also send messages directly to each other.

The attack involved hackers logging on to cloud services as an unknown number of member of staff between 14th to the 18th June. The important thing to note is that Reddit employed two-step verification for their internal staff accounts. Once logged in with the correct username and password, the employee is sent a code to their mobile phone which they then must enter to gain access to systems. A complete copy of a database back-up from 2007 was accessed along with more recent emails, unspecified logs and files.

There are multiple facets to every breach, but they boil down to the technical aspects and the effects on the people for who the data has been lost.

On a technical level, Reddit haven’t said much. I would be interested to know, for example, whether they had enabled self-service passwords resets. If this was the case, then potentially all the hacker had to do was to identify a target, work out their username (which is usually easy) and gain access to the user’s mobile phone or SIM.

Gaining access to a mobile phone is harder. Physical access is prohibitive as you would need to find the person, steal their phone and then crack their phone security. All of this is fraught with the danger of being caught and the expense of travelling. It is considerably easier if you have access to data from earlier hacks like those of Yahoo in 2016 or Equifax in 2017. A hacker could use this information to transfer the number from one phone to another. At this point, gaining access is rudimentary. However, SIM-swap fraud is on the increase, with many mobile phone operators failing to conduct adequate checks on requests for number porting.

It’s worth a reminder that Reddit is very high profile. By some metrics it’s the third most popular site in America having recently overtaken Facebook. Consequently, they will face automated hack attempts every second and manual ones each minute. Under these circumstances, there would be an expectation to have better Information Security in place than is implied. For example, if the employee’s passwords were changed by self-service, why were the employees not notified with a “Your password has been changed, if this wasn’t you, please contact IT immediately” email? If that email failed, why didn’t several members of staff notice that their password had changed for 5 days? If their passwords hadn’t changed, why were they so easy to guess? Was two-step verification really appropriate, or should they have had proper two-factor authentication in place? Why did they have a 10-year-old backup containing passwords encrypted with a 10-year-old technology?

Getting to the bottom of the technical issues would be an interesting exercise.

The data exposure is more important, though. The hackers targeted staff and gained access to interactions that happened 11 years ago when people believed that it was possible to be anonymous on the internet; users will have posted controversial things.

The easiest way to exploit this would be for the hackers to send automated emails to users saying, “We have your Reddit history where you posted something that your employer would like to see. As proof, your password is below. Pay 0.05 Bitcoin into this account and we will delete our file on you.”.

This would be quite a crude use of the data and the hackers have already shown an appetite for targeting individuals and greater sophistication than that generally.

We will have to wait to find out the consequences of this hack. All we can say now is that it is likely that Reddit did not have strong enough security controls in place to manage the risk of a breach.

There are some practical lessons here. Managing old Information Assets is essential. If you don’t need them, delete them. If you do need them, consider the risks and the overheads. This applies regardless of medium; tape or disk. It may also be worth reviewing your password policy and, if you don’t have one, creating one.