Reddit Hack Shows Limits of MFA, Strengths of Security Training

A tailored spear-phishing attack successfully convinced a Reddit employee to hand over their credentials and their one-time password, but soon after, the same worker notified security.

Robert Lemos, Dark Reading

February 15, 2023

3 Min Read
Reddit Hack Shows Limits of MFA, Strengths of Security Training

The latest hack of a well-known company highlights that attackers are increasingly finding ways around multifactor authentication (MFA) schemes — so employees continue to be an important last line of defense.

On Jan. 9, Reddit notified its users that a threat actor had successfully convinced an employee to click on a link in an email sent out as part of a spearphishing attack, which led to "a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens." 

The compromise of the employee's credentials allowed the attacker to sift through Reddit's systems for a few hours, accessing internal documents, dashboards, and code, Reddit stated in its advisory.

The company continues to investigate, but there's no evidence yet that the attacker gained access to user data or production systems, Reddit CTO Chris Slowe (aka KeyserSosa) stated on a follow-up AMA.

"It is extremely difficult to prove a negative, and also why, as mentioned, we are continuing investigating," he said. "The burden of proof right now supports that access was limited to outside of the main production stack."

Reddit is the latest software company to fall prey to a social engineering attack that harvested workers' credentials and led to a breach of sensitive systems. In late January, Riot Games, the maker of the popular League of Legends multiplayer game, announced it had suffered a compromise "via a social engineering attack," with the threat actors stealing code and delaying the company's ability to release updates. Four months earlier, attackers successfully compromised and stole source code from Take Two Interactive's Rockstar Games studio, the maker of the Grand Theft Auto franchise, using compromised credentials.

The cost of even minor breaches caused by phishing attacks and credential theft continues to be high. In a survey of 1,350 IT professionals and IT security managers, three-quarters (75%) said that their company had suffered a successful email attack in the past year, according to the "2023 Email Security Trends" report published by Barracuda Networks, a provider of application and data protection. In addition, the average firm saw its most expensive such attack cause more than $1 million in damages and recovery costs.

Still, companies feel prepared to deal with both phishing and spear-phishing, with only 26% and 21% of respondents fearing they were unprepared. That's an improvement from the 47% and 36%, respectively, who worried their firms were unprepared in 2019. Concerns over account takeover have become more common though, the report found.

"[W]hile organizations may feel better equipped to prevent phishing attacks, they are not as prepared to deal with account takeover, which is usually a by-product of a successful phishing attack," the report stated. "Account takeover is also a bigger concern for organizations with the majority of their employees working remotely."

More Proof That 2FA is Not Enough

To head off credential-based attacks, companies are moving to MFA, usually in the form of two-factor authentication (2FA), where a one-time password is sent via text or email. Reddit's Slowe, for example, confirmed that the company required 2FA. "Yup. It's required for all employees, both for use on Reddit as well for all internal access," he said during the AMA.

But techniques like MFA fatigue or "bombing" — as seen with last fall's Uber attack — make getting around 2FA a simple numbers game. In that scenario, the attackers send out repeated targeted phishing attacks to employees until someone gets tired of the notifications and gives up their credentials and the one-time password token.

Moving to the next level beyond 2FA is starting to happen. Providers of identity and access management technologies, for instance, are adding more information around access requests, such as the user's location, to add context that can be used to help determine whether access should be authenticated, says Tonia Dudley, CISO at Cofense, a phishing protection firm.

"Threat actors will always look for ways to navigate around the technical controls we implement," she says. "Organizations should still implement the use of MFA and continue to tune the control to protect employees."

View the full article on our sister site Dark Reading.

About the Author(s)

Robert Lemos

Dark Reading, Contributing writer

Robert Lemos is a veteran technology journalist and a former research engineer. He's written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science and Wired News. He has won five awards for journalism and crunches numbers on various trends using Python and R. 

Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.

You May Also Like