Reddit, the immensely popular social news website, has been hacked. Reddit’s CTO Christopher Slowe posted a discussion saying that it discovered the data breach in June, after an attacker compromised a handful of employee accounts.
The employees’ accounts were protected with SMS-based two-factor authentication, meaning that any would-be attacker not only would have to steal a worker’s password but also intercept the authentication verification sent to the employee’s mobile phone. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Slowe shared. Reddit is encouraging users to move to a more secure token-based Two Factor Authentication (2FA).
After breaking into the employee accounts, the intruder gained access to databases and logs, including usernames and their corresponding email addresses – as well as encrypted passwords dating back to the site’s early days from 2005 through 2007.
A potentially major concern for affected users is the possibility that the hacker might be able to associate their username with their email address, erasing the anonymity that is one of the major features that draws many users to Reddit, especially while participating in discussions on sensitive subjects or personal issues.
Two Factor Authentication
Reddit was using a SMS-based 2FA and this method does have limitations. For example, if attackers gained access to your text messages (SMS) as well as your password, then they could bypass the SMS-based 2FA. Token-based 2FA works differently and does not rely on the text messaging platform (SMS) for authentication. If SMS 2FA is your only option, please use it. However, token-based 2FA is more secure.
Reddit plans on directly notifying those users whose data was accessed. For those individuals concerned over their data, it is recommended that they change their password, as well as secure their accounts through token-based 2-factor authentication.
- Cyber-attacks are becoming more sophisticated and your organization will need to deploy a multi-layered security program to prevent potential intrusions.
- To learn more about securing sensitive data while protecting your organization, you can contact our privacy and security professionals at email@example.com.