This week's Reddit breach shows company's security is (still) woefully inadequate

Popular discussion website Reddit proved this week that its security still isn't up to snuff when it disclosed yet another security breach that was the result of an attack that successfully phished an employee's login credentials.

Just My Size ComfortSoft EcoSmart Fleece Full-Zip Women's Hoodie_Navy HTR_2X

$27.27-

Manduka GRP Mat Wash Everyday 6.7 oz.

$15.00

Oalka Women's Short Yoga Side Pockets High Waist Workout Running Sports Shorts 4"

$14.99 - $16.99

Gaiam No-Slip Yoga Towels

$27.22-

In a post published Thursday, Reddit Chief Technical Officer Chris "KeyserSosa" Slowe said that after the breach of the employee account, the attacker accessed source code, internal documents, internal dashboards, business systems, and contact details for hundreds of Reddit employees. An investigation into the breach over the past few days, Slowe said, hasn't turned up any evidence that the company's primary production systems or that user password data was accessed.

"On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees," Slowe wrote. "As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens."

A single employee fell for the scam, and with that, Reddit was breached.

Further Reading

In that earlier breach, the phished employee's account was protected by a weak form of two-factor authentication (2FA) that relied on one-time passwords (OTP) sent in an SMS text. Security practitioners have frowned on SMS-based 2FA for years because it's vulnerable to several attack techniques. One is so-called SIM swapping, in which attackers take control of a targeted phone number by tricking the mobile carrier into transferring it. The other phishes the OTP.

When Reddit officials disclosed the 2018 breach, they said that the experience taught them that "SMS-based authentication is not nearly as secure as we would hope" and, "We point this out to encourage everyone here to move to token-based 2FA."

Fast-forward a few years and it's obvious Reddit still hasn't learned the right lessons about securing employee authentication processes. Reddit didn't disclose what kind of 2FA system it uses now, but the admission that the attacker was successful in stealing the employee's second-factor tokens tells us everything we need to know--that the discussion site continues to use 2FA that's woefully susceptible to credential phishing attacks.

The reason for this susceptibility can vary. In some cases the tokens are based on pushes that employees receive during the login process, usually immediately after entering their passwords. The push requires an employee to click a link or a "yes" button. When an employee enters the password into a phishing site, they have every expectation of receiving the push. Because the site looks genuine, the employee has no reason not to click the link or button.

OTPs generated by an authenticator app such as Authy or Google Authenticator are similarly vulnerable. The fake site not only phishes the password, but also the OTP. A fast-fingered attacker, or an automated relay on the other end of the website, quickly enters the data into the real employee portal. With that, the targeted company is breached.

Further Reading

FIDO 2FA can be made even stronger if, besides proving possession of the enrolled device, the user must also provide a facial scan or fingerprint to the authenticator device. This measure allows for 3FA (a password, possession of a physical key, and a fingerprint or facial scan). Since the biometrics never leave the authenticating device (since it relies on the fingerprint or face reader on the phone), there's no privacy risk to the employee.

Further Reading

Around the same time, content delivery network Cloudflare was hit by the same phishing campaign. While three employees were tricked into entering their credentials into the fake Cloudflare portal, the attack failed for one simple reason: rather than relying on OTPs for 2FA, the company used FIDO.

To be fair to Reddit, there's no shortage of organizations that rely on 2FA that's vulnerable to credential phishing. But as already noted, Reddit has been down this path before. The company vowed to learn from its 2018 intrusion, but clearly it drew the wrong lesson. The right lesson is: FIDO 2FA is immune to credential phishing. OTPs and pushes aren't.

Reddit representatives didn't respond to an email seeking comment for this post.

People who are trying to decide what service to use and are being courted by sales teams or ads from multiple competing providers would do well to ask if the provider's 2FA systems are FIDO-compliant. Everything else being equal, the provider using FIDO to prevent network breaches is hands down the best option.