Reddit says hacker intercepted text message code to accomplish ‘serious’ attack
Reddit said Wednesday that it suffered a breach resulting in the compromise of company source code and user data, blaming a hacker for bypassing the two-factor authentication system in place for securing one of the internet’s most visited websites.
Reddit co-founder and chief technical officer Christopher Slowe said that a hacker infiltrated the site’s systems after intercepting a SMS text message that allowed them to access company accounts.
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” Mr. Slowe, 39, wrote in a Reddit post.
“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Mr. Slowe wrote using his Reddit handle, KeyserSosa.
An investigation ultimately determined the hacker used their access to glean material including internal logs, configuration files, current email addresses and a 2007 database containing the names of users and their encrypted passwords, Mr. Slowe wrote.
Reddit has reported the issue to law enforcement and is notifying users affected by the ‘serious attack,’ the post said.
Accounts protected by two-factor authentication require the user to enter a secondary access code after inputting their user name and password, effectively creating an extra layer of protection to defend against unauthorized access. These secondary codes can be generated using pre-configured mobile apps or USB devices, or received in the form of text messages sent to the account holder’s cellphone. Methods exist for hackers to intercept texts, however, such as convincing a telecommunications provider into switching the unique SIM card affiliated with the subscriber to one under the attacker’s control, also known as “SIM swapping.”
Last month, meanwhile, Google claimed the company has successfully defended its more than 85,000 staffers from hackers ever since requiring last year that employee use physical, USB-based security keys generate codes needed to access their work accounts.
Launched in 2005, Reddit currently ranks eighth among the internet’s most visited sites, according to Alexa, the Amazon-owned analytics service.