Reddit Hacked, Despite SMS Two-Factor Authentication

Reddit on Wednesday reported a data alienation. The good news? Nothing as well major was likely stolen. The bad news? It involved a ii-factor authentication scam.

SecurityWatch During the mid-June intrusion, the hacker accessed an onetime fill-in of Reddit that contained user data such as hashed passwords from 2007. The culprit as well viewed logs from Reddit'south "electronic mail digests," which can associate a username with an e-mail accost, if you provided it.

In other words, the breach appears to have only exposed email accost information for existing users and scrambled password data for long-time Reddit fans from over a decade ago.

"The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs," Reddit engineer "KeyserSosa" said in a postal service detailing the security incident.

Nevertheless, the breach is raising alarm bells in the It security community because the assaulter did and then past breaking into employee accounts that were supposedly protected by 2-factor authentication.

These accounts were configured to non only need a password upon login, simply as well a special i-time passcode that would've been sent over the employee's smartphone via SMS messaging.

"We learned that SMS-based hallmark is not nearly as secure as we would promise, and the primary attack was via SMS intercept," Reddit'southward KeyserSosa said, without elaborating.

How does a hacker go virtually stealing SMS messages? It's not every bit difficult as you lot might think. In the by, cybercriminals have causeless a victim'south identity to trick cellular providers into essentially giving them access to the person'southward phone number. Hackers with more technical expertise and the right hardware can also tamper with cellular technologies to collect nearby SMS messages or temporarily spoof someone's phone number.

Whatever the case may be, Reddit is using the security incident to encourage the public to switch over to non-SMS-based two-factor hallmark. This involves your smartphone generating the special old passcode over an app. Another solution is to use a hardware-based security central, which is what Google has done to stop phishing on company employee accounts.

If yous don't take 2-factor authentication, it's a good thought to use it on your most important accounts, like Facebook or your bank, which can usually be activated in the settings folio. Even the SMS-based authentication is amend than only protecting your account with a password.

For Reddit users who may have had their login credentials stolen in the breach, the website will reset passwords and message affected users with tips on how they can protect themselves.

"Whether or not Reddit prompts you to change your password, think most whether y'all still utilize the password y'all used on Reddit 11 years ago on whatever other sites today," the site said.