Sunday, 9 December 2018
Latest news
Main » Reddit suffers data breach

Reddit suffers data breach

03 August 2018

Specifically, every user account that was created between the site's launch in 2005 until May 2007 has potentially had its username, email address, salted hashed password, and private messages (during that timeframe) accessed. "Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not almost as secure as we would hope, and the main attack was via SMS intercept", the company revealed, adding into the much-needed ongoing push into encouraging employees to move away from SMS-based 2FA system.

This matters because the June 2018 cache of email addresses and usernames could reveal a lot about users who rely on a degree of anonymity when using Reddit.

Reddit has become the latest big-name tech firm to admit to a major data breach, after hackers compromised staff accounts by intercepting SMS-based two-factor authentication codes. "Reddit needs to raise the priority on implementing the model of least privilege and privileged access security controls as this breach demonstrates that the accounts compromised had read access to storage systems including source code, logs and configurations". Since the company isn't clear about the breach's size, breaches are often worse than they first appear, and you've nothing to lose by doing it, you might as well change your password as a precaution though.

Otherwise, the company recommends that users search their inboxes for emails sent by [email protected] between June 3 and June 17 to learn if they were affected.

"In the Digital Identity Guidelines published by NIST a year ago, SMS-based authentication is considered risky and its use is restricted".

Reddit logs
Reddit logs

Reddit explained that the main attack was executed via an SMS intercept. Here's what you need to know?

The company said that since the intrusion it has bolstered its monitoring systems and has reported the breach to law enforcement, which is investigating.

And it's worth taking this incident as a warning that SMS two-factor authentication isn't completely secure and that it may be worth investing in a physical authenticator key.

According to an announcement issued on 2 August, current email addresses and a 2007 database back-up containing old salted and hashed passwords have been accessed.

If you use the same passwords on several accounts, change those log-in details too. There will be question marks for starters over the length of time it took to notify customers and the decision to force users to proactively check their emails to see if they were affected by the more recent breach. The company is also encouraging users to enable token-based two-factor authentication through Authy, Google's Authenticator, or a similar service.

Reddit suffers data breach