Reddit Hack Shows Limits of MFA, Strengths of Security Training

A tailored spear-phishing attack successfully convinced a Reddit employee to hand over their credentials and their one-time password, but soon after, the same worker notified security.

4 Min Read
Reddit security notification on social engineering phishing cyberattack
Source: Dark Reading

The latest hack of a well-known company highlights that attackers are increasingly finding ways around multifactor authentication (MFA) schemes — so employees continue to be an important last line of defense.

On Jan. 9, Reddit notified its users that a threat actor had successfully convinced an employee to click on a link in an email sent out as part of a spearphishing attack, which led to "a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens." 

The compromise of the employee's credentials allowed the attacker to sift through Reddit's systems for a few hours, accessing internal documents, dashboards, and code, Reddit stated in its advisory.

The company continues to investigate, but there's no evidence yet that the attacker gained access to user data or production systems, Reddit CTO Chris Slowe (aka KeyserSosa) stated on a follow-up AMA.

"It is extremely difficult to prove a negative, and also why, as mentioned, we are continuing investigating," he said. "The burden of proof right now supports that access was limited to outside of the main production stack."

Reddit is the latest software company to fall prey to a social engineering attack that harvested workers' credentials and led to a breach of sensitive systems. In late January, Riot Games, the maker of the popular League of Legends multiplayer game, announced it had suffered a compromise "via a social engineering attack," with the threat actors stealing code and delaying the company's ability to release updates. Four months earlier, attackers successfully compromised and stole source code from Take Two Interactive's Rockstar Games studio, the maker of the Grand Theft Auto franchise, using compromised credentials.

The cost of even minor breaches caused by phishing attacks and credential theft continues to be high. In a survey of 1,350 IT professionals and IT security managers, three-quarters (75%) said that their company had suffered a successful email attack in the past year, according to the "2023 Email Security Trends" report published by Barracuda Networks, a provider of application and data protection. In addition, the average firm saw its most expensive such attack cause more than $1 million in damages and recovery costs.

Still, companies feel prepared to deal with both phishing and spear-phishing, with only 26% and 21% of respondents fearing they were unprepared. That's an improvement from the 47% and 36%, respectively, who worried their firms were unprepared in 2019. Concerns over account takeover have become more common though, the report found.

"[W]hile organizations may feel better equipped to prevent phishing attacks, they are not as prepared to deal with account takeover, which is usually a by-product of a successful phishing attack," the report stated. "Account takeover is also a bigger concern for organizations with the majority of their employees working remotely."

More Proof That 2FA is Not Enough

To head off credential-based attacks, companies are moving to MFA, usually in the form of two-factor authentication (2FA), where a one-time password is sent via text or email. Reddit's Slowe, for example, confirmed that the company required 2FA. "Yup. It's required for all employees, both for use on Reddit as well for all internal access," he said during the AMA.

But techniques like MFA fatigue or "bombing" — as seen with last fall's Uber attack — make getting around 2FA a simple numbers game. In that scenario, the attackers send out repeated targeted phishing attacks to employees until someone gets tired of the notifications and gives up their credentials and the one-time password token.

Moving to the next level beyond 2FA is starting to happen. Providers of identity and access management technologies, for instance, are adding more information around access requests, such as the user's location, to add context that can be used to help determine whether access should be authenticated, says Tonia Dudley, CISO at Cofense, a phishing protection firm.

"Threat actors will always look for ways to navigate around the technical controls we implement," she says. "Organizations should still implement the use of MFA and continue to tune the control to protect employees."

Employees Are Key to Cyber Defense

Ironically, the Reddit hack also demonstrates the advantages that employee training can deliver. The employee suspected something was wrong after entering credentials into the phishing site, and soon after contacted Reddit's IT department. That reduced the attacker's window of opportunity and limited the damage.

"It's time we stop looking as employees as a weakness and instead looking at them as the strength they are, or can be, for organizations," Dudley says. "Organizations can only tune the technical controls so far ... employees can offer that additional context of, 'this just doesn't seem right.'"

The employee at the center of the Reddit breach will not face long-term, punitive action, but did have all access revoked until the problem was resolved, Reddit's Slowe said in the follow-up AMA.

"The problem, as ever, is that it only takes one person to fall for [a phish]," he said, adding, "I'm exceedingly grateful the employee, in this case, reported that it happened when they realized it happened."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights