Published: Fri, August 03, 2018
Tech | By Dwayne Harmon

Reddit staff used SMS for two-factor authentication and got hacked

Reddit staff used SMS for two-factor authentication and got hacked

But the site says it is contacting those who have been hacked.

"As the attacker had read access to our storage systems, other data was accessed such as Reddit source code, internal logs, configuration files and other employee workspace files, but these two areas are the most significant categories of user data", Slowe added.

They were able to obtain usernames and corresponding email addresses - information that could make it possible to link activity on the site to real identities.

"A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords", Reddit posted in the announcements section of the site. The incident is particularly important right this minute because of the rise of understanding in the weaknesses in sms-verified authentication.

The online discussion board, which prides itself on providing anonymity, said hackers compromised employees' accounts by gaining access to two datasets.

Somewhere between June 14 and 18, a hacker compromised a handful of Reddit employee accounts with the site's hosting providers.

But the incident has shattered its belief that two-factor authentication is a safe way to secure accounts.

But how were hackers able to infiltrate the self-professed "Front Page of the Internet", and for how long? Reddit says it's already taken steps in the weeks since the attack to further lock down and rotate all production secrets and API keys, and to enhance logging and monitoring systems.

'Because that sounds like a mother of all ticking time bombs, for a potential privacy breach. You all ******* deserved to be hacked for that kind of negligence and incompetence'. With so many data breaches happening lately, the chances that a re-used password was exposed is quite high.

The company also did not respond to a follow up question asking for more details on how it plans to inform users directly about the risk. Reddit has reported the issue to law enforcement and is cooperating with the investigation. On Wednesday Reddit began informing users who may be included in this dataset. It's also all urging all users to enable token-based two-factor authentication.

"We can not rely on single-factor authentication for our passwords to protect our digital lives". Reddit said it is resetting passwords on these early accounts in which the log-in credentials may still be working. It's more secure than SMS simply because the attacker in that case would need to steal your mobile device or somehow infect it with malware in order to gain access to that one-time code. "We understand it's hard to remember all your passwords but there are tools such as password generators and managers that can help solve this problem and ensure you don't become vulnerable to today's digitally advanced criminals".

Like this: