It seems that this is Shark Week for hackers! One data breach after the next. Reddit has disclosed a breach of its systems that compromised user data including some current email addresses and salted and hashed passwords from a 2007 database backup.
On Wednesday, the web content aggregation platform notified users that a hacker gained access to several employee accounts via SMS intercept between June 14 and June 18. Reddit became aware of the attack on June 19 and says it has since mitigated the threat and rolled out improved systems and processes to prevent it from happening again.
Reddit uses two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure, but Reddit said SMS-based authentication, which was targeted by the attacker, is “not nearly as secure” as the company thought.
“We point this out to encourage everyone here to move to token-based 2FA,” the company said.
SMS hijacking is an increasingly common mode of attack, and critics of SMS 2FA will argue that it’s actually a two-step verification process, which is considerably weaker than 2FA via a physical security key.
Reddit said attackers obtained read-only access to systems, source code, and other logs. This includes a complete copy of an old database backup of Reddit user data from the site’s launch in 2005 through May 2007. It contained account credentials, email addresses and all content, including private messages.
“They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems,” the company said.
Reddit is contacting affected users and requiring password changes for anyone still using the same password from 11 years ago.
With these recent breaches, it would be in your best interest to update your passwords. ALL OF THEM. With unique phrases where you can replace the letters for symbols as well as numbers. Here at Prilock, we recommend people to rely on password managers such as LastPass so you need to just remember one master password to access all your networks.
Original Article Found Here.