Monday, 17 December 2018
Latest news
Main » Reddit Announces Security Breach After Hackers Bypassed Staff's 2FA

Reddit Announces Security Breach After Hackers Bypassed Staff's 2FA

03 August 2018

Social media site Reddit has suffered a data breach, but has refused to disclose its scale.

The hack reportedly took place between June 14 and June 18 after hackers compromised Reddit employees accounts with their cloud and source code hosting services.

The online discussion board, which prides itself on providing anonymity, said hackers compromised employees' accounts by gaining access to two datasets. The attacker broke into some of its systems and got access to some user data, but did not manage to modify any of the site's content.

Reddit said it was messaging user accounts "if there's a chance the credentials taken reflect the account's current password" and has urged users to check their Reddit inboxes as well as their emails to establish if they were affected by either breach. In the past, cybercriminals have assumed a victim's identity to trick cellular providers into essentially giving them access to the person's phone number. The digests also connected usernames to the email addresses to which the digests were sent, as well as suggested posts based on the subreddits to which the users subscribed.

But the logs also connected user names with their associated email address.

The US National Institute for Standards and Technology (NIST) has advised against using SMS-based 2FA, and academics have bypassed SMS-based 2FA for a few years now, but in recent weeks, SMS-based 2FA has been proven to be broken in the real world [1, 2]. It appears that SMS-based two-factor authentication played a key role.

Finally, the company has called on users to use a strong password and to enable two-factor authentication via an authenticator app.

The firm claimed it is notifying users about the older breach but has told users potentially affected by the newer one that they must proactively search their inbox for emails from noreply@redditmail.com between June 3-17, 2018.

Reddit users might believe they are relatively anonymous as they need to provide only a username and email address to sign up for an account, but Slowe advised users affected by the breach to think about whether there's anything on their Reddit account that they wouldn't want associated back to that address.

The company said that since the intrusion it has bolstered its monitoring systems and has reported the breach to law enforcement, which is investigating. If you're not yet using a password manager, now's the time to change that.

If you don't have two-factor authentication, it's a good idea to use it on your most important accounts, like Facebook or your bank, which can usually be activated in the settings page.

Reddit Announces Security Breach After Hackers Bypassed Staff's 2FA