On Wednesday, Reddit revealed that hackers had broken into some of its systems and stole some users’ data, including email addresses and passwords, as well as company data, such as source code.
In an amazing and rare show of restraint and honesty, Reddit’s announcement did not call the attack “sophisticated.” Usually, when a company begrudgingly opens up about a security incident, it tends to overstate the ability of the attackers. Thus, every breach gets blamed to “sophisticated” hackers, even when all they did was send a misspelled phishing email.
For that, Reddit deserves a lot of credit. The company, however, could have been more transparent about what actually happened. It’s unclear at this point, but all signs seem to point in the direction of a so-called account takeover via SIM hijacking (or SIM swapping) hack. Reddit isn’t saying it, but several security experts inferred that.
This is not just a semantic discussion. This matters because SIM hijacking is quickly becoming a common threat that may force us to rethink and perhaps abandon SMS-based two-factor authentication. The more victims come out and share their stories, the better we—and more importantly, the cellphone carriers who have thus far largely ignored the problem—will understand the problem.
The hackers, according to Reddit’s own version of the story, hit the company in a particularly weak spot. They intercepted the two-factor authentication codes of “a few” of the company’s employees. Reddit specifically used the expression “SMS intercept” as the root cause of the data breach.
You may be thinking, what the fuck is “SMS intercept”? Don’t feel bad, that is actually a legitimate and valid question, because the expression is vague and could very well be misleading in this case.
In literal terms, Reddit is using it to mean someone intercepted the text messages containing “one-time passwords,” or OTP, which were the second factor in this case (along with its employees’ normal passwords.)
The key question though, is how exactly did the hackers intercept those text messages?
Reddit, for now, doesn’t want to say. I asked that very simple question to its press team, as well as its engineer known as KeyserSosa, who authored the disclosure post.
KeyserSosa referred me back to the press team. Reddit’s PR sent me this statement, which did not answer my question:
“On June 19, we learned that an attacker compromised a few of Reddit’s accounts with cloud and source code hosting providers by intercepting SMS 2FA verification codes. We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future. A small number of users were affected and have been notified. You can find a comprehensive explanation in our post to the Reddit community here.”
I followed-up asking for more information, but got no answer. I got no answer. Fortunately, KeyserSosa gave some other clues in public posts on Reddit that help clear the fog a bit.
In one, they wrote: “we know the target’s phone wasn’t hacked.” In another, they wrote: “we require people to use TOTP for this reason, but there are situations where we couldn’t fully enforce this on some of our providers since there are additional ‘SMS reset’ channels that we can’t opt out of via account policy..”
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
When KeyserSose says “the phone wasn’t hacked,” they likely mean the hackers did not remotely exploit the employee’s phones and installed malware on them. The second message, while more jargony, is more illuminating. What KeyserSose is saying there is that usually Reddit requires time-based one-time passcodes (TOTP), this is a more secure way to do two-factor authentication, because it usually doesn’t rely on text messages, which are much less secure than physical security keys or an authenticator app.
The key is the last sentence though. KeyserSose seems to hint that the employees’ got owned because some of their providers have a way to reset accounts via SMS.
Again, we’re doing a bit of speculation here, but if I read this correctly, what likely happened here is the following: the hackers broke into the employee’s accounts by first taking over their cellphone number, then triggering an account reset via text message, and then intercepting the second-factor.
This kind of attack, which at its core relies on social engineering, is a huge, sometimes overlooked, and underestimated problem. Hundreds of Americans have been hit by similar attacks in the last few months, according to a Motherboard investigation. The flaw lies within the telecom companies and their employees, which can be tricked—or bribed—into transferring phone numbers to SIM cards controlled by criminals.
The bad news is that as a victim, there’s little you can do if the hacker gets an insider to help them SIM swap your number. The good news is that you can make it so your number doesn’t become the golden key to your entire digital identity.
With so much discussion in the security community about the potential weaknesses of SMS-based two-factor authentication, it’s important that, when it is exploited, we learn more about the specifics of what happened. More transparency will lead to more educated decisions and recommendations about personal and corporate security.
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.