Reddit hack shows hole in 2-factor authentication via SMS
Reddit the largest forum in the world and self-styled ‘front page of the internet’, has been hacked. Some of the data of users who created an account between 2005 and 2007 have been accessible to the intruders and although no useful passwords have been captured, the hackers now have the user names, e-mail addresses and the things that the users in question have written on the forum, including private messages.
Reddit reacted well to the data breach, informed the necessary authorities and made clear to users what leaked out, with the kind request to replace their password for the security, so the actual damage (depending on who what has written on Reddit and how chantable they make it) is not too bad. If you are on Reddit and have not received any notice from them, your data is not included.
2-factor misery
2-factor authentication has been increasingly used in the last few years. After you log in, you have to send a second code or confirmation via a different route is seen as one of the safest ways to secure access to an account. However, as Google also said – just before announcing their own 2-factor device – the use of your telephone is a weak link for this.
That shows here again, because at Reddit is suspected that the access to the cloud storage of the site is obtained because someone has found the login data of an employee and then through imitating, temporarily intercepting or even taking over someone’s phone number has received the checking text that was needed to log in. For normal mortals who do not have any access to something that someone wants to have, that is not so important, but if you already have or want to have 2-factor authentication, it is a different story. SMS messages are too easy to intercept and therefore not safe. So make sure you have a usb security key or other hardware-based solution for your 2-factor authentication, especially if you are allowed to use Reddit’s servers …