| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the Reddit hack in 2018 was due to compromised systems and stolen user data, specifically old passwords from 2007. The breach was possible because Reddit was using an outdated form of two-factor authentication on its employee accounts, which involved SMS-based authentication. This incident highlights the risks associated with using SMS-based authentication, as it was considered too easy for attackers to intercept the texts. Reddit acknowledged the security vulnerabilities in their authentication system and took steps to improve it to prevent a similar attack in the future [73658].
(b) The article mentions that in 2016, the US National Institute of Standards and Technology no longer recommended SMS-based authentication due to its security risks. This indicates that the issue of using SMS-based authentication was not unique to Reddit but was a broader concern in the industry. Additionally, the guidance released in 2017 by NIST described the risks organizations face when using SMS-based authentication to secure their systems, suggesting that other organizations may have faced similar challenges with this authentication method [73658]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to the outdated form of two-factor authentication used by Reddit on its employee accounts. The breach was possible because Reddit was using an outdated form of two-factor authentication, specifically SMS-based authentication, which was considered insecure due to the ease with which attackers could intercept the texts containing the one-time codes [73658].
(b) The software failure incident related to the operation phase can be linked to the misuse of SMS-based authentication by Reddit employees. The main attack that led to the breach was via SMS intercept, indicating that the operation of the authentication method was compromised due to attackers intercepting the SMS messages containing the authentication codes [73658]. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident reported in the article was primarily within the system. The hack on Reddit's systems and the subsequent data breach were a result of internal factors such as using an outdated form of two-factor authentication (SMS-based authentication) on employee accounts, which made it vulnerable to interception by attackers. The breach was made possible due to the weaknesses in Reddit's authentication system, specifically the use of SMS-based authentication, which was no longer considered secure by industry standards [73658]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident at Reddit was primarily due to non-human actions. Hackers compromised the systems and stole user data by exploiting an outdated form of two-factor authentication using SMS-based authentication. This method was considered insecure as attackers could intercept the texts containing the one-time codes, leading to the breach [73658]. The incident highlighted the vulnerability of using SMS-based authentication, which was no longer recommended by security standards due to its susceptibility to interception [73658].
(b) However, human actions also played a role in the failure. Reddit's use of outdated two-factor authentication methods, specifically SMS-based authentication, was a decision made by the company. The Chief Technology Officer, Christopher Slowe, acknowledged that Reddit couldn't always avoid using SMS-based authentication due to the third-party software they were using [73658]. The company has since resolved this issue and encouraged users to switch to more secure token-based two-factor authentication methods [73658]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The software failure incident at Reddit was due to hackers compromising systems and stealing user data, which was made possible because Reddit was using an outdated form of two-factor authentication on its employee accounts [73658].
(b) The software failure incident related to software:
- The breach at Reddit was possible due to the company using an outdated form of two-factor authentication, specifically SMS-based authentication, which was considered insecure and vulnerable to interception by attackers [73658]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident reported in Article 73658 was malicious in nature. Hackers compromised Reddit's systems and stole a cache of user data, including email addresses and passwords from 2007. The breach was possible due to an outdated form of two-factor authentication using SMS, which was intercepted by attackers. The stolen passwords were hashed, but the hashing techniques used in 2007 are now relatively easy to break. Reddit acknowledged the risks associated with SMS-based authentication and is now moving towards token-based two-factor authentication to enhance security [73658]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident at Reddit was primarily due to poor decisions. The breach occurred because Reddit was using an outdated form of two-factor authentication involving SMS-based authentication on its employee accounts, which was known to be insecure. The chief technology officer of Reddit, Christopher Slowe, acknowledged that SMS-based authentication was not secure and that the main attack was via SMS intercept. Despite the risks associated with SMS-based authentication, Reddit continued to use it due to constraints with third-party software they were using. This poor decision to rely on outdated and insecure authentication methods ultimately led to the breach and theft of user data [73658]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence can be attributed to the outdated form of two-factor authentication used by Reddit. The breach occurred because Reddit was using an outdated form of two-factor authentication on its employee accounts, which involved SMS-based authentication. This method was considered insecure as attackers could intercept the texts containing the one-time codes, leading to the breach [73658].
(b) The software failure incident can also be considered accidental as it was not intentional for Reddit to have vulnerabilities in their authentication system. The breach was not a deliberate act by the company but rather a result of using an insecure method of authentication that was later discovered to be vulnerable to interception by attackers [73658]. |
| Duration |
temporary |
(a) The software failure incident in the article is considered temporary. The incident involved hackers compromising systems and stealing user data from Reddit due to vulnerabilities in the outdated form of two-factor authentication using SMS-based authentication on employee accounts [73658]. The breach was discovered on June 19, and Reddit has been conducting an investigation to improve systems and prevent similar attacks in the future. Measures are being taken to change the employee login system to enhance security, such as moving to token-based two-factor authentication [73658]. |
| Behaviour |
crash, other |
(a) crash: The software failure incident in the article can be categorized as a crash. Hackers compromised Reddit's systems, leading to a breach where a cache of user data, including email addresses and old passwords from 2007, was stolen [73658].
(b) omission: There is no specific mention of the software failing to perform its intended functions at an instance(s) in the article.
(c) timing: The software failure incident is not related to the system performing its intended functions correctly but too late or too early.
(d) value: The software failure incident does not involve the system performing its intended functions incorrectly.
(e) byzantine: The software failure incident does not involve the system behaving erroneously with inconsistent responses and interactions.
(f) other: The behavior of the software failure incident in the article can be categorized as a security breach due to hackers compromising Reddit's systems and stealing user data, highlighting vulnerabilities in the authentication system used by Reddit [73658]. |