One of the most popular discussion forums on the internet, Reddit, today disclosed a data breach in which some user information was leaked.
In a post mortem, Reddit said the attack was serious and resulted in an old database backup and a newer set of "email digests" sent to users being accessed.
The backup file contained usernames, hashed and salted passwords, email addresses, all public content and private messages from 2005 through to May 2007.
The attacker was also able to gain read access to Reddit's storage systems, and used it to access "Reddit source code, internal logs, configuration files and other employee workspace files".
However, they were unable to gain write access to Reddit’s systems and weren’t able to alter or delete any data.
The attackers gained access via Reddit employee accounts "with our cloud and source code hosting providers".
While Reddit uses two-factor authentication to protect staff logins, the challenge and response codes were transmitted out-of-band via SMS, which were intercepted by the hackers.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Reddit founding engineer Christopher Slowe said.
SMS 2FA continues to be widely used, despute being shown to be insecure. Staff logins will now be protected by token-based 2FA rather than SMS codes.
Reddit said it will notify affected users of the data breach, and reset their passwords.
Some Reddit users reported that they had already received extortion-based phishing emails that cited the hacked credentials.
The emails quote the passwords taken from the 2007 database backup, and claim malware has been installed on users’ computers that is able to record what’s on the screen as well as activate the webcam.
The phishers threatened to leak embarrassing recordings captured from the users’ computers to all their contacts, unless they paid a ransom.