As you’ve probably heard in the news, Reddit has been hacked.
The immensely popular website says that it discovered a data breach in June, after an attacker compromised some employee accounts.
The employees’ accounts were protected with SMS-based two-factor authentication (2FA), which meant that any attacker did not only have to steal a worker’s password, but also intercept the authentication token sent to their mobile phone.
Breaking into the accounts, the hacker was able to access databases and logs, including an unknown number of usernames and related email addresses, as well as encrypted passwords from a database dating back to the site’s early days in 2007.
Other data accessed included Reddit source code, internal logs, configuration files and other employee workspace files.
Perhaps the most worrying aspect for those Reddit users who joined after 2007, is that the hacker might be able to associate their username with their email address. After all, anonymity is one of the features that draws many users to Reddit, especially if participating in discussion groups on sensitive subjects or personal issues.
Reddit says that the reason some email addresses might be linked to users is because the hacker accessed logs containing the email digests the site sent between June 3 and June 17, 2018. In the United States, such email digests are enabled by default.
Reddit’s response to this is somewhat disappointing.
It says it plans to contact any users affected by the breach related to the 2007 database, but has made no such promises regarding the unknown (but potentially considerable) number of users who may have had their email address linked to their accounts.
Instead the company simply offers the rather lame suggestion of thinking about “whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.”
And, of course, it’s a good idea to change your password to something unique and hard to crack if you believe it may have been compromised, and to enable 2FA.
Hang on? 2FA? Isn’t that what was exploited to break into the Reddit employees’ accounts?
Well, yes. But the 2FA offered to Reddit users isn’t based upon a SMS that can potentially be intercepted. Instead, users are offered the ability to get a Time-based One-Time Password (TOTP) generated by an authentication app.
SMS-based 2FA has been frowned upon in recent years, as attacks have become more common.
So-called “SIM swap” fraud (where scammers trick phone carriers into giving them control of your phone number) are not uncommon, and there are plenty of examples of identity thieves hijacking cellphone accounts in their pursuit of virtual currency – all because they have been able to intercept 2FA tokens sent via SMS.
But for all the criticism that SMS-based 2FA receives from computer security experts, I think we would be unwise to consider it utterly disastrous.
Yes, it would be better if users had a hardware token or a means of authenticating themselves which did not require receiving an SMS message, but SMS-based 2FA is certainly better than no 2FA at all.
Many attempts to break into accounts *will* be prevented by SMS-based 2FA, and most criminals will simply move on to another target who hasn’t bothered to defend their online life with an additional level of authentication.
In summary, harden your online accounts with multi-factor authentication. And if the only protection offered to you is SMS-based, use that rather than nothing at all. It may not stop a particularly determined attacker, but it will still give your accounts a higher level of defence than that used by most internet users.