Last week, Reddit announced a security incident in which an attacker compromised employee accounts for Reddit’s cloud and source code hosting providers. Breaches like this serve as reality checks to those of us responsible for securing user data and identities online.
Hats off to the Reddit team for the way this incident was handled as incidents are nightmares to deal with, both for users and organizations. We’ve seen other companies suffer larger scale breaches and sweep them under the rug without an explanation of the impact to users.
By offering the public transparency into the details of the incident, Reddit gave the security community a few reminders of how to prevent these kinds of incidents down the line.
For those unfamiliar with the breach:
The attacker compromised the two-factor authentication via SMS required for employee accounts, which Reddit believes was done through intercepting the SMS code required to pass the second factor of authentication.
While the attacker wasn’t allowed write access to source code and data, they were able to view data, including:
- Account credentials pre-2007 (usernames and salted hashed passwords)
- User email addresses
- Public and private content (messages and posts)
- Source code, config files, logs
As security experts, or even as online users who care about our privacy and data, what should we take away from last week’s news?
1. User transparency builds and rebuilds trust
This past year is no stranger to data breaches which exposed sensitive consumer information. Equifax, Orbitz, and Under Armour come to mind and all were highly publicized, recent breaches. It’s in the immediate wake of these breaches that companies can, at the very least, tell users what happened and earn some of their trust back.
Most people familiar with Reddit can understand the magnitude of how Reddit’s cloud provider breach affects users on the platform (namely how usernames can now be tied to actual email addresses and content posted, on a platform that celebrates honest forum conversations through user anonymity).
Reddit shared with users:
- The types of data exposed
- A way for users to check if they’ve been affected
- Recommendations on how users can improve their own account security
- What additional protocols were put in place as a mitigation strategy
Reddit knew that its users deserved to know about the incident. This kind of post-mortem transparency is one of the keys to retaining their users in the long haul. Users themselves can find this honesty refreshing.
As breaches become more commonplace, there is a bigger opportunity to demonstrate stronger security measures and transparency to users after and even before incidents occur. Through things like clear cut privacy policies, compliance with applicable data protection laws i.e. GDPR, and even informing end users about potentially risky activity on their accounts via features (Gmail lets you review which IPs/locations tried to access your account), platforms can begin cultivating trust from users throughout their life cycles.
With the ongoing consumer confusion about which applications are truly safe to use online, companies that adopt policies which engage users in transparent security experiences have a distinct advantage in keeping users overtime over companies that intentionally keep security and communication obscure. Reddit has made it clear which type of company they are.
2. Public transparency evolves the community’s perspective
“Security is a cat and mouse game’’ says every and any security expert.
You’ve heard or said this before, and it’s true. This refers to how overtime, attackers and security professionals react and counteract each other’s strategies as new exploits are used and mitigation strategies evolve.
When incidents become public knowledge and, more importantly, when companies share the vectors which were compromised and the new strategies around defenses, the cybersecurity community as a whole can learn how to address shortfalls in their own stacks.
Vulnerabilities with SMS based authentication, namely SIM swapping or SS7 interception have been known for years. There are split camps who each argue what the proper implementation of 2FA is (hardware, token based, mobile app, etc.).
Ironically enough at one point seven years ago, SMS based 2FA was recognized as better than token based given it addressed vulnerabilities with the latter. Though certainly we can expect more companies to swap in token based authentication and stop using SMS one time passwords at Reddit’s recommendation.
And hopefully we see companies who protect user data not only work to implement the strongest authentication protocols, but also be cognizant of ways they might be bypassed and introduce additional checks if needed.
Most security professionals understand that no system, protocol, or process is perfect, and a combination of different measures needs to be used to get the tightest possible security of a platform in entirety.
And while this mindset is under practiced, Reddit’s transparency about the attack path diagnosis lifts the discourse around which authentication practices today are obsolete and which should be considered. The community continues and should continue to iterate.
3. Questioning security now means preventing damage later
Specifically for authentication, requiring additional levels of identity “proof” means an attacker needs to validate themselves through multiple checkpoints, and in general means tighter security.
However, when simply assuming additional authentication factors fully secure the access in question, companies develop a static approach to security in a landscape where attackers are heavily incentivized to crack defenses (and often enjoy doing so).
We’re assuming Reddit’s cloud hosting provider was likely aware of the inherent vulnerabilities with SMS given the likely attack path. Though it’s not uncommon for other companies to apply the ‘set it and forget it’ approach with 2FA and assume it will work as a silver bullet.
From Reddit’s announcement, mentioning the improvements to their posture:
“Took measures to guarantee that additional points of privileged access to Reddit’s systems are more secure (e.g., enhanced logging, more encryption and requiring token-based 2FA to gain entry since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.)”
On a long enough timeline, vulnerabilities surface for every protocol. The same can be said for fixes. The companies who continually question and test their assumptions of what constitutes ground truth identity “proof” when allowing user access are the companies which avoid becoming targets.
Awareness like this keeps companies vigilant and continually scrutinizing how protected their system truly is; a much easier position to be in than controlling damage post incident.
Would the breach have been prevented if Reddit’s provider enforced these checks earlier? Who knows. Can other companies take the breach as a warning sign that perhaps their authentication stacks should be re-visited constantly and continually? Absolutely.