A Hacker Broke Into a Few of Reddit's Systems and Managed To Access Some User Data, Company Says

A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords, Reddit said Wednesday. From the announcement: Since then we've been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again. Reddit says the incident occurred between June 14 and June 18 when the hacker "compromised a few of our employees' accounts with our cloud and source code hosting providers." Interestingly, even as Reddit employees maintain 2FA on their accounts, the attacker managed to get access to their data. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," the company said. The company says it has a reason to believe the attacker had access to the following data: All Reddit data from 2007 and before including account credentials and email addresses. What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007. In Reddit's first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then. How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you're clear here.

Actual impact is what?

Let us be generous and assume reddit users follow accepted advice and use unique passwords on all sites. What then was actually leaked here other than making public some users who wished to remain anonymous but somehow not enough to use a unique email address as well?

Most of these email/password leaks are non events when using unique passwords yet it is a big story each time.

Re: Actual impact is what?

[xxxJonBoyxxx]

I can't quite tell if you're trolling so I'll bite. Yes a non-trivial number of those Reddit users will have their password hashes rainbow tabled, and then their email/password combos will be used to access their accounts on other sites. Even 11 years later. In fact, my place of employment will probably be adding the Reddit list to the list of credential combos we run against our own systems to make sure bad guys can't try the same trick here. (We tend to mysteriously force a silent password change on affected users.)

Re: Actual impact is what?

I feel like you ignored the part where we were assuming they good users have unique passwords.

Re: Actual impact is what?

Rainbow tabled??? If the hashes were salted, and it says in the summary they were, then rainbow tables would be unlikely. Rainbow tables would have to be generated for each salt, and presuming the salts weren't incredibly stupid the number of hashes per salt wouldn't be common enough to make rainbow tables worthwhile.

However, they could and presumably would generate hashes using a brute force approach.

Re: Actual impact is what?

[sg_oneill]

11 years ago MD5 was still the go-to encryption of choice. Generating a rainbow table for that is possible in an hour or so with a cluster of rented Amazon GPU servers, at a pretty low price, especially if stolen credit cards are involved. This isn't the problem it used to be.

Now if its properly salted with a salt for each password, sure, its a bit harder, but for a lot of folks salt just means add the word "SECRET" to the start of the password.

Re: Actual impact is what?

[hoggoth]

You have no idea what 'salted' passwords means, do you? It doesn't add the word 'SECRET' to every password or any other secret word. It adds a *different* random string to every password. This means rainbow tables are useless because the entire rainbow table would be specific to ONE user's password. It would be completely pointless to generate a rainbow table for ONE user instead of just a brute-force attack on that user, with or without a 'cluster of rented Amazon GPU servers'.

Re: Actual impact is what?

[xxxJonBoyxxx]

>> Rainbow tabled??? If the hashes were salted,

Depends again on how they salted. If they used one salt for all passwords (as I've seen before) and it was captured too, then game over. However, if each entry had its own salt then yep, you're correct. (And thanks for reading the TFA - I always seem to lose interest before I get there.)

Gotta wonder how loose their definitions are

"few" == "most of"

"some" == "all"

Technically, they wouldn't be lying...

It was a walk-off ...

[CaptainDork]

... steal of a backup tape or EHD by a former Reddit employee.

2FA SMS

Something you have and now also the hacker has, lol.

Does /. have a Head of Security?

One of the comments to the Reddit announcement says that Reddit got their first Head of Security less than 3 months ago!

Does /. have a dedicated Head of Security?

If not, why not? Is it a matter of cost?

AC Accounts FTW

This is why I don't have a Reddit, or a Slashdot, account. Can't steal information that doesn't exist.

Re: AC Accounts FTW

This.

What doesnâ(TM)t get hacked?

So what site doesnâ(TM)t get hacked or at least attempted to be hacked.

SMS 2FA

[ChoGGi]

Just more proof SMS 2FA is really just 1FA

Nooo

It had to be a hacker! How else is msmash going to be k-rad kewl?!?

Re:Nooo

It had to be a hacker! How else is msmash going to be k-rad kewl?!?

M'Smash knows that fedoras, neckbeards, trenchcoats, and samurai swords will always be teh uber-leet.

Re: Sorry, Spez hacked accounts before this

Are you talking about this incident that /. reported on earlier?

If comments can be changed so easily within their system, how can we as users be sure that this latest announcement is legitimate?

Has this disaster been confirmed through any other Reddit-management-controlled medium or media that are less likely to have also been compromised?

WTF

[Wolfrider]

A) Why are they even keeping backups that old, and B) not to mention, NOT ENCRYPTED?? Basic Security fail...

Re:WTF

"A complete copy of an old database backup containing very early Reddit user data -- from the site's launch in 2005 through May 2007"

Yeah, why the hell did they even have that?

Re:WTF

[Ksevio]

Just in case all the other backups failed, they could revert back to that one!

Re: WTF

Jesus Christ... I know that most of the good people left /. a decade ago, but doesn't anyone else here have experience working in IT, operations, or some other real-world computing industry field?! Keeping backups and other data indefinitely is routine, if not mandated by company policies. It's critical to have trusted and verifiable backups in the case of a security incident like this, so that any allegedly-leaked data can be confirmed as valid, as well as to see if it has been tampered with in some way. Comments like yours and the earlier one just reinforce the rumor that only inexperienced neckbeards and Ruby on Rails amateurs post here!

Re:WTF

[Hadlock]

It's really easy during early startup years to open two or more cloud accounts and then just keep paying the bills because it's cheaper to host the data than pay someone to dig through it and make sure it's ok to delete and won't bring your business crashing down in six months.
 
One startup I worked at, because of the city we were located in, got $10,000 account credits from digital ocean, linode and a bunch of others, which at $10/mo for data storage is basically forever. And the guy setting those up, especially in the early years, is likely to have not come up with password standards yet.
 
It's easy to work at an established company with mature IT practices, but starting one from scratch, especially in a high growth environment, and do it safely and securely, is fucking hard, man.

Re: WTF

Sure you keep backups...offline. Leaving them laying around on your production servers is a pretty poor practice and I highly doubt was done intentionally.

Not to worry

[SuperKendall]

Hacker was found in basement having turned to a pillar of salt by looking at Raw Reddit.

SMS Weaknesses

[secwatcher]

They were using SMS 2FA? Really?? That said it sounds like the number impacted was small, so at least Reddit learned from this (relatively) smaller incident instead of something bigger happening.

Reddit's admins are furious

How is Spez supposed to access the hacked data for editing posts they disagree with?

Re:Would using Rust have helped?

No, Rust would not have helped secure against this attack. I think Cobol would be a better choice for critical business security.

Re: Sorry, Spez hacked accounts before this

Jesus Christ, you fucking morons, these are social media sites run by private people/companies as they please. They can edit whatever they like whenever they like in which way they like, ban people, delete posts, etc., and they wish. Run you own forum or get a fucking life, you fucking idiots!

GDPR

Isn't such old data left around a violation of GDPR? I have right to see my data and ask it to be removed.

What is the worst that can happen?

[mea2214]

Reddit supports anonymous users. If I get compromised on one of my accounts the worst that can happen is someone posts praising Obama in r/the_donald making me lose 10,000+ karma points. Not terribly important IMHO.

Re: What is the worst that can happen?

It doesn't support anonymous users if you have to log in with an account to comment there. The use of accounts means that identity of some form is present.

SPEZ

Just edit the hack so the hacker only gets some ice chili recipes

Re: Sorry, Spez hacked accounts before this

State the obvious. Random anon coward flips out. ??

Re: Sorry, Spez hacked accounts before this

"I used to hold opinion X but then someone called me a 'fucking moron' told me to 'get a life'. That's when everything changed for me"

I'm AC, and this is my story.

Re: Sorry, Spez hacked accounts before this

[Dogtanian]

Jesus Christ, you fucking morons, these are social media sites run by private people/companies as they please.

And others are free to criticise them as they please. Whether or not they want to run their own social media website.

They can edit whatever they like

I wouldn't be as confident as you are if it came to court. Even if there's some BS covering this in the small print of the terms and conditions, putting words in someone's mouth without it being obvious this has been done sounds legally dubious to me.

ban people, delete posts, etc., and they wish.

Yes, they can. And others are free to criticise them for this. Whether or not they want to run their own social media website.

Run you own forum or get a fucking life, you fucking idiots!

This whole post is virtually the same logic hauled out by fanboys of big companies when they're criticised. No, the fact that someone isn't pointing a gun at my head forcing me to buy (e.g.) the latest iPhone doesn't negate my right to criticise it. Or require me to design and build my own iPhone.

Logically, this would preclude criticism of the vast majority of things and remove the critical/review information that a truly free market depends upon.

'Course, the irony with such fuckwits is that they act like they're defending free markets, when in fact they're attacking a core part of their functioning.

Re:Would using Rust have helped?

[hoggoth]

Programming language security had nothing to do with this hack. Someone called the phone company and pretended to be a clueless customer who was trying to port his phone to a new provider. Lazy phone company rep decided that even though the "clueless customer" didn't pass any of the security questions he would go ahead and port the phone away anyway 'to be helpful'. Now the hacker can receive all SMS messages that were supposed to go to the phone. He logs into Reddit's backend as the user and it sends a 2FactorAuthentication code to the user's phone. Which the hacker is now receiving.

Sending codes as an SMS to a phone is terrible security and everyone has known this for years. Bitcoin exchanges have been very publicly hacked this way enough that no exchange would even consider using SMS for security. I'm surprised Reddit, which has a very technical community, allowed this.

BTW my bank still ONLY offers SMS security :-(