On June 19, Reddit learned that an attacker had breached several employee accounts via the company's cloud and source-code hosting providers:
[Source]
No Reddit information was altered, and the company quickly moved forward to lock down proprietary data, but it's still caused ripples of concern among Reddit's community of users. The theft contained a complete copy of an old database backup that held personal data from Reddit's early users. This largely included account credentials (username + salted hashed passwords), email addresses, and messages — valuable information that thieves can recycle to access other accounts, such as health or financial records.
This is one of hundreds of breaches this year. According to Statista, the U.S. has seen 668 data breaches that have exposed more than 22 million personal records.
The pace of break-ins has been steadily rising for over a decade.
How do companies like Reddit protect themselves in an increasingly dangerous environment? This piece digs into key strategies you can use to brace your company against attacks before they happen — and tells you what to do if the unfortunate occurs.
Why Didn't Two-Factor Authentication Stop Reddit's Data Breach?
Although Reddit employed a two-factor authentication (2FA) shield, it was SMS-based, and the main attack occurred via SMS intercept.
All forms of 2FA require a user to provide a second form of identification — over and above a simple password — to gain access to a system. The most common 2FA method sends the user a unique token via SMS/text message.
[Source]
This is generally a 5- to 10-digit code, which the user types in after the successful entry of their username and password. Many enterprises have opted for this method because two-factor authentication is user-friendly (nearly everyone is familiar with receiving text messages) and is inexpensive to set up.
Yet the method clearly has holes. SMS 2FA is vulnerable to swings in cell-phone connectivity and can be easily intercepted by third parties.
A more secure version is employing software tokens. Software tokens in 2FA have gained popularity in recent years with the rise of smartphones.
The Microsoft Authenticator is an example of a popular software token-based solution, which could have provided Reddit a tighter wall against hackers.
The Microsoft Authenticator is one of many similar tools, including the Google Authenticator, Twilio Authenticator, and LastPass Authenticator. They all rely on a time-based one-time password (TOTP) algorithm to generate a short-lived (30 seconds or less) password. The user must copy the password into the website's or app's required field for verification before it expires.
“SMS 2FA is vulnerable to swings in cell-phone connectivity and can be easily intercepted by third parties. A more secure version is employing software tokens.”
Tweet This
Other Forms of 2FA That Could Have Stopped the Reddit Data Breach
Hardware tokens are another method that many enterprises use. They rely on a physical device, such as a key fob or USB dongle, that generates a token for the user.
[Source]
Unlike SMS and software tokens, hardware tokens don't require cell-phone reception or even Wi-Fi; however, they are costly to set up and maintain. In addition, employees often misplace hardware tokens or confuse them with other personal devices.
Several teams rely on email or phone verification, where the user receives a link or a voice recording with an alphanumeric token. While these options are also relatively inexpensive and easy to set up, they can, like SMS tokens, fail in delivery and are vulnerable to interceptions.
An exciting area of multifactor authentication (MFA) that is on the rise is biometrics. This eliminates additional devices altogether and instead relies on a user's inherent credentials, such as fingerprints, a retina, or even gait.
Incorporate 2FA as Part of a Larger Identity Strategy to Stop Cyber Theft
Two-factor authentication is a critical component of security for enterprises today — despite the fact that only 28% of people employ 2FA. While it's important to help all of your users implement 2FA, there are other elements of identity management that companies like Reddit should consider.
For example, identity-management providers like Auth0 have several Rules that its users can turn on quickly to immediately detect fraud within a system and take action against it. A dashboard view also allows system administrators to observe all of the activity that is taking place at a given time.
Instead of trying to work with disparate streams of user data (e.g., new sign-ups in one place and historical usage over time in another), a well-constructed dashboard can offer multiple visualizations of this information in the same location. From there, admins can take swift action when they see something is amiss.
With Auth0's anomaly-detection feature, you can implement several shields from the dashboard that will block users after a certain number of failed login attempts. In addition, if you know that their information was recently compromised in a major security incident, you can screen for logins from these accounts. For example, if Reddit makes the information available, Auth0 will flag these emails in case the Reddit thieves are using these credentials to impersonate the users.
The more steps you can take to build out your identity management system, the better off you will be as attacks come from multiple angles.
How to Help Users After a Data Breach Occurs
The most important thing to do when you learn that your system has been compromised is to immediately communicate it and take action.
- Report the breach to law enforcement, including any data you have on the number and types of accounts the thieves were able to access.
- Test the accounts that you believe might have been compromised by sending emails or otherwise attempting to verify if the account holders are still who they say they are.
- Immediately improve your login systems and any current 2FA approaches, and consider outsourcing more elements of your identity-management system to experts.
Reddit quickly published data breach mitigation steps on its site:
Offering immediate, actionable steps accompanied by links to more detailed pages of information is a great way to help your users without overwhelming them with technical information.
“The most important thing to do when you learn that your system has been compromised is to immediately communicate it and take action.”
Tweet This
Hopefully, you won't have to employ these final tactics; however, given today's challenging threat environment, particularly for teams with large user bases, it's critical to stay up to date on the latest solutions and security strategies to avoid a worst-case scenario.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Martin Gontovnikas
Former SVP of Marketing and Growth at Auth0
Gonto’s analytical thinking is a huge driver of his data-driven approach to marketing strategy and experimental design. He is based in the Bay area, and in his spare time, can be found eating gourmet food at the best new restaurants, visiting every local brewery he can find, or traveling the globe in search of new experiences.View profile