On June 19, Reddit learned that an attacker had breached several employee accounts via the company's cloud and source-code hosting providers:
No Reddit information was altered, and the company quickly moved forward to lock down proprietary data, but it's still caused ripples of concern among Reddit's community of users. The theft contained a complete copy of an old database backup that held personal data from Reddit's early users. This largely included account credentials (username + salted hashed passwords), email addresses, and messages — valuable information that thieves can recycle to access other accounts, such as health or financial records.
This is one of hundreds of breaches this year. According to Statista, the U.S. has seen 668 data breaches that have exposed more than 22 million personal records.
The pace of break-ins has been steadily rising for over a decade.
How do companies like Reddit protect themselves in an increasingly dangerous environment? This piece digs into key strategies you can use to brace your company against attacks before they happen — and tells you what to do if the unfortunate occurs.
Why Didn't Two-Factor Authentication Stop Reddit's Data Breach?
Although Reddit employed a two-factor authentication (2FA) shield, it was SMS-based, and the main attack occurred via SMS intercept.
All forms of 2FA require a user to provide a second form of identification — over and above a simple password — to gain access to a system. The most common 2FA method sends the user a unique token via SMS/text message.
This is generally a 5- to 10-digit code, which the user types in after the successful entry of their username and password. Many enterprises have opted for this method because two-factor authentication is user-friendly (nearly everyone is familiar with receiving text messages) and is inexpensive to set up.
Yet the method clearly has holes. SMS 2FA is vulnerable to swings in cell-phone connectivity and can be easily intercepted by third parties.
A more secure version is employing software tokens. Software tokens in 2FA have gained popularity in recent years with the rise of smartphones.
The Microsoft Authenticator is an example of a popular software token-based solution, which could have provided Reddit a tighter wall against hackers.
The Microsoft Authenticator is one of many similar tools, including the Google Authenticator, Twilio Authenticator, and LastPass Authenticator. They all rely on a time-based one-time password (TOTP) algorithm to generate a short-lived (30 seconds or less) password. The user must copy the password into the website's or app's required field for verification before it expires.
"SMS 2FA is vulnerable to swings in cell-phone connectivity and can be easily intercepted by third parties. A more secure version is employing software tokens."
Other Forms of 2FA That Could Have Stopped the Reddit Data Breach
Hardware tokens are another method that many enterprises use. They rely on a physical device, such as a key fob or USB dongle, that generates a token for the user.
Unlike SMS and software tokens, hardware tokens don't require cell-phone reception or even Wi-Fi; however, they are costly to set up and maintain. In addition, employees often misplace hardware tokens or confuse them with other personal devices.
Several teams rely on email or phone verification, where the user receives a link or a voice recording with an alphanumeric token. While these options are also relatively inexpensive and easy to set up, they can, like SMS tokens, fail in delivery and are vulnerable to interceptions.
An exciting area of multifactor authentication (MFA) that is on the rise is biometrics. This eliminates additional devices altogether and instead relies on a user's inherent credentials, such as fingerprints, a retina, or even gait.
Incorporate 2FA as Part of a Larger Identity Strategy to Stop Cyber Theft
Two-factor authentication is a critical component of security for enterprises today — despite the fact that only 28% of people employ 2FA. While it's important to help all of your users implement 2FA, there are other elements of identity management that companies like Reddit should consider.
For example, identity-management providers like Auth0 have several Rules that its users can turn on quickly to immediately detect fraud within a system and take action against it. A dashboard view also allows system administrators to observe all of the activity that is taking place at a given time.
Instead of trying to work with disparate streams of user data (e.g., new sign-ups in one place and historical usage over time in another), a well-constructed dashboard can offer multiple visualizations of this information in the same location. From there, admins can take swift action when they see something is amiss.
With Auth0's anomaly-detection feature, you can implement several shields from the dashboard that will block users after a certain number of failed login attempts. In addition, if you know that their information was recently compromised in a major security incident, you can screen for logins from these accounts. For example, if Reddit makes the information available, Auth0 will flag these emails in case the Reddit thieves are using these credentials to impersonate the users.
The more steps you can take to build out your identity management system, the better off you will be as attacks come from multiple angles.
How to Help Users After a Data Breach Occurs
The most important thing to do when you learn that your system has been compromised is to immediately communicate it and take action.
- Report the breach to law enforcement, including any data you have on the number and types of accounts the thieves were able to access.
- Test the accounts that you believe might have been compromised by sending emails or otherwise attempting to verify if the account holders are still who they say they are.
- Immediately improve your login systems and any current 2FA approaches, and consider outsourcing more elements of your identity-management system to experts.
Reddit quickly published data breach mitigation steps on its site:
Offering immediate, actionable steps accompanied by links to more detailed pages of information is a great way to help your users without overwhelming them with technical information.
"The most important thing to do when you learn that your system has been compromised is to immediately communicate it and take action."
Hopefully, you won't have to employ these final tactics; however, given today's challenging threat environment, particularly for teams with large user bases, it's critical to stay up to date on the latest solutions and security strategies to avoid a worst-case scenario.
Auth0 is the first identity management platform for application builders, and the only identity solution needed for custom-built applications. With a mission to secure the world’s identities so innovators can innovate, Auth0 provides the simplicity, extensibility, and expertise to scale and protect identities in any application, for any audience. Auth0 secures more than 100 million logins each day, giving enterprises the confidence to deliver trusted and elegant digital experiences to their customers around the world.