Reddit Hacked, Despite SMS Two-Factor Authentication

EnlargeMisaochan

EnlargeMisaochan

Cyber crooks managed to swipe user data that included usernames, email addresses and hashed passwords. Users who signed up after 2007 were not affected by this part of the data breach.

The firm claimed it is notifying users about the older breach but has told users potentially affected by the newer one that they must proactively search their inbox for emails from noreply@redditmail.com between June 3-17, 2018.

We reached out to Reddit in an attempt to determine if long-deleted accounts from back in the day were affected in any way, but did not receive an answer to that question as of press time.

The hackers were also able to access encrypted passwords from a separate database of credentials from 2007. The website says the digest emails connect email addresses to usernames. Together, these details could.

What was accessed: A complete copy of an old database backup containing very early Reddit user data - from the site's launch in 2005 through May 2007. Since the company isn't clear about the breach's size, breaches are often worse than they first appear, and you've nothing to lose by doing it, you might as well change your password as a precaution though.

National Archives to review all Kavanaugh records by October, potentially delaying confirmation
The documents could be produced earlier via a separate source: the Bush presidential library, which is conducting its own review. Republicans have been hesitant to request those records, however, and have accused Democrats of engaging in stalling tactics.

A hacker has managed to steal historical account data from Reddit Inc.by intercepting SMS text messages, used by employees for two-factor authentication, to gain access to some backend systems. For example, even though the second factor may be generated by a mobile-based app, that one-time code needs to be entered into the same login page on a Web site along with user's password - meaning both the password and the one-time code can still be subverted by phishing, man-in-the-middle and credential replay attacks.

Reddit said the hacker compromised multiple employee accounts on its cloud and source code hosting providers between June 14-18.

Reddit employees use something called two-factor authentication on their accounts. Not only that but email digests sent in June 2018 were also accessed. Reddit said it discovered the breach the next day, on June 19. "Although it's hard to crack those passwords, once cracked, the chances are much greater that they will also be added to a dictionary in a future "credential stuffing attack". Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.

Reddit pinned the incident on the hacker's ability to bypass 2FA. Speaking to The Atlantic, Reddit co-founder Steve Huffman said: "When people detach from their real-world identities, they can be more authentic, more true to themselves". Many companies can be nudged in that direction if enough users start demanding it, so consider using any presence and influence you may have on social media platforms to make your voice heard on this important issue.

Latest News