Reddit suffers data breach due to SMS-based 2FA

  • Reddit suffers data breach due to SMS-based 2FA

Reddit suffers data breach due to SMS-based 2FA

"In Reddit's first years, it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed, passwords), email addresses, and all content (mostly public, but also private messages) from way back then", Slowe said. In the past, cybercriminals have assumed a victim's identity to trick cellular providers into essentially giving them access to the person's phone number.

"In the Digital Identity Guidelines published by NIST past year, SMS-based authentication is considered risky and its use is restricted".

"The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to", Reddit said.

What Reddit didn't detail is what method was used to encrypt the passwords.

If you don't have two-factor authentication, it's a good idea to use it on your most important accounts, like Facebook or your bank, which can usually be activated in the settings page.

Reddit said it migrated employees from SMS-based 2FA to token-based 2FA and urged other companies and users to do the same.

"A cybercriminal only needs to get their hands on one password to potentially gain access to private and even financial information across a number of accounts and apps". The company has said that "if there's a chance the credentials taken reflect the account's current password", it will make you reset your Reddit account password.

For those thinking that deleting their Reddit account may assist them, Small said the cat is out of the bag.

Do you have more information about this or any other technology story? Nevertheless, despite its problems, security researchers still recommend SMS-based 2FA over not using 2FA at all. These low-priced USB-based devices allow users to complete the login process simply by inserting the device and pressing a button.

That means they not only have to enter a password to log in, but they also need to receive a special code sent via text.

The one limiting factor with security keys is that relatively few Web sites now allow users to use them.

Last week, KrebsOnSecurity reported that Google now requires all of its 85,000+ employees to use security keys for 2FA, and that it has had no confirmed reports of employee account takeovers since the company began requiring them at the beginning of 2017.

Today Reddit announced a security incident that occurred in the middle of June. "While two-factor authentication can help a lot, it has to be the right kind of two-factor".

For more information on what was stolen, how to determine if you're affected, and for a thorough discussion on the matter, check out this Reddit thread.