A few days ago, Reddit announced that they had been the victim of an elaborate hack attack and data breach. The attackers accessed the email digests from August 2018 and the entire 2007 database backup. The backup included old salted and hashed user passwords, usernames and their email addresses. The attackers also compromised a few Reddit employee accounts by intercepting the SMS used in two-factor authentication (2FA).
Although our knowledge about the attack is limited to what Reddit has disclosed, we can still analyze the incident from a web security perspective.
Storing Hashed and Salted PasswordsProtecting passwords by employing salted password hashing is a web security measure that really pays off in the event of a website breach. This tactic makes it more difficult for attackers to retrieve them in a usable form, providing that the passwords are strong enough. In case users use the same passwords for other accounts, this prevents attackers from taking over the accounts on those platforms as well. Reddit announced that if users are found to be actively using the same hashed passwords as the stolen ones, they will be asked to reset them. Regardless, users are advised to change their passwords as a safety measure if they’ve been using the same one since 2007 (refer to our customer survey on online risky behaviour for more information on how end users use passwords etc).
Two-Factor Authentication and Multi-Factor Authentication (MFA)Reddit employees were right in enabling 2FA to secure their login process. Two-Factor Authentication is an additional authentication feature that requires the user to provide a proof of knowledge, possession or inheritance by using one or more of the following:
- Knowledge - something the user knows (password, PIN code)
- Possession - something the user has (telephone, OTP, Token Generator)
- Inherence - something the user is (biometrics, fingerprints)