Popular social media site Reddit – “orange Usenet with ads”, as we’ve somewhat ungraciously heard it described – is the latest well-known web property to suffer a data breach in which its own source code was stolen.
In recent weeks, LastPass and GitHub have confessed to similar experiences, with cyercriminals apparently breaking and entering in much the same way: by figuring out a live access code or password for an individual staff member, and sneaking in under cover of that individual’s corporate identity.
In Reddit’s own words:
Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
We’re not sure quite how suitable the adjective “sophisticated” is here, not least because Reddit quickly goes on to state that:
As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).
In other words, this attack almost certainly succeeded not because it was sophisticated, but because it wasn’t.
Someone, perhaps in a hurry, arrived at what they thought was the frontier, handed over their passport to a fellow-traveller instead of to an official border agent, and then found themselves trapped in nowhere-land without any ID while the imposter sailed through the border crossing in their name.
The single most important factor in an identity-hijacking attack of this sort is not sophistication but, as Reddit rightly pointed out above, plausibility, making it easy even for well-informed and cautious individuals to “coast through” based on habit and experience.
The risk posed by habitual behaviour is why official British road signage includes a bright red rectangle containing the words NEW ROAD LAYOUT AHEAD that’s used when a busy piece of road gets reorganised. The sign isn’t there to protect old-timers from nervous new road users who might find a big junction or roundabout complicated. It’s there to protect those new users, who have no choice but to work cautiously from first principles, and are therefore likely follow the road rules just fine, from old-timers who think they “know” how traffic will behave at that location, and therefore sail through carelessly, based on incorrect assumptions and “learned-but-now-improper” behaviour.
How far did the crooks get?
As already stated, some of Reddit’s own internal systems were accessed by the attackers.
In addition to the mostly-harmless-sounding “docs” and “code” listed above, Reddit has admitted that information about past and present employees and “contacts” (we’re assuming this includes, but is not limited to, contractors and other non-permanent staffers) was stolen, along with information about advertising customers.
Reddit hasn’t stated publicly what sort of data fields were included in the stolen information, merely that the breach was “limited”.
But the word limited might be a good sign (e.g. name and email address, and no other data), but could just as easily be a bad thing (e.g. “only” two data items: your social security number and a scan of your driving licence).
Signed-up users of the Reddit service, it seems – Redditors, as they as known – can stand down from Blue Alert, with Reddit saying that its investigation so far shows no indication that what it calls “non-public data” (in other words, stuff that you didn’t post for the world to see anyway) was accessed by the cybercriminals.
And, as mentioned earlier, the Reddit systems themselves – the operating systems, code and networks that run the Reddit services you interact with, whether as a user or a visitor – don’t seem to have been breached.
From this, we infer that the crooks are unlikely to have made off with data such as login records, system logs, location information or password hashes.
The company also stated, in its notification, that it is still investigating this incident (which happened on Sunday 2023-02-05).
Given its reasonably quick response so far, we’re guessing that Reddit will follow up in due course to say whether it found any further evidence of compromise.
What to do?
To be honest, unless you’re a Reddit staffer or advertiser, it doesn’t look as though there’s much you can or need to do right now.
(We’re assuming, if you do work for or advertise with Reddit, that the company will already have contacted you personally if your data was amongst the “limited” information stolen, which we would consider a better short-term response than telling the whole world first.)
Reddit itself has made three suggestions, namely:
- Protect against phishing by using a password manager. This makes it harder to put the right password into the wrong site, because the password manager isn’t deceived by the look-and-feel of a site, but works unemotionally with the exact name of the web page it sees in the address bar. Ironically, this seems to be advice that Reddit itself didn’t follow, given that the attackers used a plausible look-alike site to steal login credentials, which a password manager would presumably have rejected as unknown.
- Turn on 2FA if you can. This means you need a one-time code that changes at every login, which makes a stolen password useless on its own. We agree that this is a great idea, but note that Reddit’s own mechanism for 2FA (two-factor authentication), based on a regularly-changing six-digit code generated by an app on your phone, apparently didn’t help here, because the attackers phished both a current password and a valid-right-now 2FA code.
- Change your passwords every two months. We disagree with this advice, as does the US National Institute of Standards and Technology (NIST). Change for change’s sake is rarely a good idea, because it tends to enforce habitual behaviour that, in the words of Naked Security friend and colleague Chester Wisniewski, “gets everybody in the habit of a bad habit“.
BUSTING PASSWORD MYTHS
Even though we recorded this podcast more than a decade ago, the advice it contains is still relevant and thoughtful today. We haven’t hit the passwordless future yet, so password-related cybersecurity advice will be valuable for a good while yet. Listen here, or click through for a full transcript.
In short: we continue to recommend password managers, especially if you tend to drift into the habit of picking obvious, identical or even similar passwords for multiple sites without one.
We also recommend password managers as a helpful tool for pulling you up short on imposter sites that look visually perfect to you, but that don’t match the plain and emotionless expectations of your password manager.
And we advise you to turn on 2FA wherever you can, even though we know it’s a bit of a hassle.
We nevertheless remind you that 2FA codes (such as those one-time 6-digit SMS or app-based messages) can still be phished, as happened here to Reddit, so they are not a cure-all for caution.
But we don’t agree with forcing yourself regularly to change all your passwords on an algorithmic basis.
Much better to change your passwords right away whenever you genuinely think it’s worth doing so, than to rely on “I’ll be changing it sometime soon anyway, so I’ll just wait until the process tells me to do it.”
(We’re not saying you mustn’t change your passwords all the time if that makes you happy, but doing it as what you might call a “procedural requirement” will give you a false sense of security, and uses up time you could spend on other tasks that directly improve your online safety.)
As we’ve said before, we may be heading towards a passwordless future, but we suspect we’ll all be juggling passwords for at least some important online service for many years yet.