Despite being a supposed extra layer of security for its users, the two-factor authentication is not as secure as it promises to be after Reddit was hacked.
A hacker gained access to Reddit’s internal systems by finding a way around the two-factor authentication on the employee accounts. Thankfully, no significant data was reportedly stolen. The bad news is that two-factor authentications are not reliable after all.
It happened around mid-June when the hacker gained access to an old backup of Reddit that contained user data and hashed passwords since 2007. The hacker also viewed logs from Reddit’s email digests, which can pinpoint the email address if you provided a username. The hacker was only able to view email address information of existing users and scrambled password data of long-time Reddit users from years ago.
Reddit web engineer KeyserSosa said in a post that addressed the incident: “The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code, and other logs.”
Despite Reddit’s attempt to calm down concerned users because there wasn’t any sensitive information stolen, it has become a major issue in the IT industry because the employee’s accounts are supposedly protected by two-factor authentication. The hacker managed to get past this security measure and broke into the accounts.
The two-factor authentication requires not only a password upon login but also a unique, one-time passcode sent to the employer’s smartphone via SMS. KeyserSosa adds, “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept.”
So how did the hacker get past through the SMS two-factor authentication? It turns out that it’s not rocket science after all. Hackers have done this before by tricking cellular providers into thinking that they were the owners and giving them the phone number of the victim. Some hackers with more technical skills are also able to tamper with the cellular technology to intercept SMS messages nearby or spoof someone’s phone number temporarily.
After the incident, Reddit has encouraged users to switch to non-SMS-based two-factor authentication. This means that a unique one-time passcode will be sent to the user’s phone via another app. They could also use a hardware-based authentication, similar to what Google has done to stop phishing companies from targeting their employee’s accounts.
Although this incident makes us lessen our trust on the integrity of two-factor authentication, it’s still advisable to use it on other important accounts like email and Facebook. It’s better than simply protecting your account with a password alone.
If you’re a Reddit user who might have had your login information stolen, the website is resetting passwords and send messages to those affected by the security breach. Further information on how to fortify your account will also be provided.
The popular discussion website says, “Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on [the website] 11 years ago on any other sites today.”