August 3, 2018 at
Reddit has confirmed that a hacker had momentary access to internal services after being able to bypass SMS two-factor identification.
When you hear of a hacking, you immediately have a few thoughts cross your mind. What exactly did they hackers steal? Just company data or did they manage to steal user information as well? Luckily, Reddit has stated that nothing of real value was taken. The more concerning part of the hack? The fact that the hacker was able to hack through an SMS based two-factor authentication.
What We Know
Reddit has known about the data breach since June 19th, but just recently released a statement on the issue. The hacker did his work sometime between June 14th and June 18th. The hacker gained access to a backup of Reddit’s from 2007, which gave the hacker access to hashed passwords. Hashed here meaning a type of encryption, where a human wouldn’t be able to understand exactly what the real password is.
The hacker also managed to gain access to Reddit’s June 2018 “email digests.” This gave the hacker access to email addresses that receive the email digest from Reddit. This comes as good news to the thousands of Reddit users who were worried about personal information and password data.
Reddit was also quick to confirm that the hacker gained “read-only access,” and was unable to gain write access to the Reddit systems.
SMS Two-Factor Not So Safe
The hack, which came as a surprise to the IT community everywhere, shows the weak point behind SMS two-factor authentication. SMS two-factor authentication not only requires a password to log in but also requires you to input a code that has been sent to a registered phone number. The hacker was able to gain access to employees accounts by simply scamming their phone providers.
Though it seems logical that phone numbers would be hard to gain access to, hackers have managed to scam carrier companies into dishing out passwords and transferring numbers onto SIM cards that the hacker owns. After gaining access to the number, the hacker is then able to send the SMS two-factor code to himself, and essentially gain access to the victim’s personal information, such as passwords.
Reddit asks users to ditch 2-Factor
Reddit moderator KeyserSosa gave users of Reddit a small bit of advice.
A strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended for all users.
Though it is recommended that you use 2FA authentication over SMS, SMS two-factor is still a whole lot safer than simply using a password. The traditional way to log into sites and apps has been shown to be very easily hacked. Google has implemented a hardware-based security key to stop phishing on their employees’ accounts.
Who was affected?
Reddit has started emailing users that have been impacted by the hack. They will be sending out prompts to change passwords to those affected if they deem necessary, but suggest you change your password anyway. Reddit will be emailing users with more information and tips on how they can better protect their information, and what they can further do about information stolen during the breach.