How Was Reddit Defaced?Postmortem Remains Pending, But Social Engineering and Credential Stuffing Likely
Reddit had a very "Make America Great Again" weekend.
On the social news aggregation service, which hosts numerous discussion forums, more than 70 specific online communities - known as subreddits - were temporarily hijacked and used to post messages in support of U.S. President Donald Trump over the weekend.
While Reddit has yet to publish a full postmortem on the incident, it says the compromised accounts did not have two-factor authentication enabled.
"We have officially confirmed that none of the accounts that were compromised had 2FA enabled at the time of the compromise," Reddit's advisory states. "2FA is not a guarantee of account safety in general, but it's still an important step to take to keep your account more secure."
It's unlikely the attackers used SIM swapping to take over accounts because that would have also enabled them to bypass two-factor authentication, experts say. But how so many accounts could have been compromised en masse remains unclear. In previous breaches of this type, however, attackers have typically either brute-force guessed weak passwords or else reused username and password combinations exposed in previous data breaches.
In a statement, Reddit says: "An investigation is underway related to a series of vandalized communities. It appears the source of the attacks were compromised moderator accounts. We are working to lock down those accounts and restore impacted communities."
Attacker Claims Responsibility
Reddit has not named anyone suspected of launching the attack. But a now-suspended Twitter account, @advanceHCAjobs, claimed responsibility.
The account tweeted directly to Reddit, writing that "we are claiming responsibility for the ongoing hack of your subs." The account, saying it belongs to "Calvin Goh" and "Melvern," claimed "it was so easy as we combined password stuffing and social engineering together to beat the teenage bitcoin cheater." The lattermost part of that statement appears to reference the three individuals who were charged last month in connection with hacking 130 high-profile Twitter accounts as part of a cryptocurrency scam (see: 3 Charged in Twitter Hack).
The availability of billions of usernames and password combinations gathered from countless data breaches means that someone could have methodically targeted subreddit editors, collecting valid credentials over a long period of time and waiting for the right moment to strike. Or, it's possible attackers repeatedly obtained leaked credentials via past data breaches and methodically tested them to see if the same users reused their passwords on Reddit, via so-called credential stuffing attacks (see: How Can Credential Stuffing Be Thwarted?).
One potential source of the leaked passwords could have been Reddit's breach, which was discovered in 2018. In that incident, an attacker compromised employee accounts at Reddit's cloud and source-code hosting providers. Exposed data included some current email addresses and a database backup, although that dated from 2007. The backup contained "old salted and hashed passwords," Reddit said at the time.
"We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid," Reddit said in its security notification at the time. "If you signed up for Reddit after 2007, you're clear here."
"I've never seen data for this," Hunt says. "Reddit would be able to tell if the current spate of accounts that have been taken over ever changed passwords after the old incident." At least in theory, however, Reddit should have forced them to do so.
Interesting account takeover shenanigans at @reddit. But also: "We have officially confirmed that none of the accounts that were compromised had 2fa enabled at the time of the compromise"— Troy Hunt (@troyhunt) August 10, 2020
Reads like credential stuffing, any info to confirm or deny?https://t.co/xjrF7UIeE2
The problem of attackers combing data breaches for username and password pairs and testing them across a number of other sites is well-known, and many sites now take steps to try to thwart credential stuffing. Reddit says it regularly checks username and password combinations against third-party breach sets and forces any Reddit users who have reused credentials to update them.
While such efforts are ongoing, in October 2019, Reddit said it had completed "a major effort to detect all accounts that had credentials matching historical, third-party breaches.
"You might have experienced some of our efforts if we forced you to reset your password as a precaution," Reddit said at the time. "We expect the number of protective account security actions to drop drastically going forward as we no longer have a large backlog of breach datasets to process. Hopefully, we have reached a steady state, which should reduce some of the pain for users. We will continue to deal with new breach sets that come in."
Another potential explanation for the MAGA website defacements, according to Reddit participants, would be a compromise of open accounts for currently inactive moderators. Some Reddit users have expressed concern that these types of inactive accounts are tough to remove but may still retain privileges that would allow subreddits to be modified.
Potential Vector: Social Engineering
Gaining the access credentials through social engineering is plausible as well. Social engineering is what led to the mass takeover of Twitter accounts in late July as part of the cryptocurrency scam. Twitter says attackers used social engineering to target its employees, enabling the attackers to gain access to its internal tools, which gave them full access to user accounts.
Some experts have speculated that whoever hit Twitter might have used SIM hijacking to intercept two-factor codes sent via SMS. In SIM hijackings, an attacker manages to get a person's phone number switched or transferred to a new SIM card, which allows them to intercept a two-factor code, which may be used by a site such as Twitter to log into an account or by a bank to authorize a money transfer.
After the Reddit data breach that came to light in 2018, however, the company said it moved away from sending two-factor codes via SMS because attackers used SIM hijacking to help compromise employee accounts. Today, Reddit no longer offers 2FA via SMS. Instead, it urges users to use out-of-band apps such as Authy or Google Authenticator, in line with current guidance from standards bodies such as the U.S. National Institute of Standards and Technology.
Executive Editor Mathew Schwartz contributed to this report.