Industry News

Reddit hacked – but don’t give up on 2FA just yet

As you’ve probably heard in the news, Reddit has been hacked.

The immensely popular website says that it discovered a data breach in June, after an attacker compromised some employee accounts.

The employees’ accounts were protected with SMS-based two-factor authentication (2FA), which meant that any attacker did not only have to steal a worker’s password, but also intercept the authentication token sent to their mobile phone.

Breaking into the accounts, the hacker was able to access databases and logs, including an unknown number of usernames and related email addresses, as well as encrypted passwords from a database dating back to the site’s early days in 2007.

Other data accessed included Reddit source code, internal logs, configuration files and other employee workspace files.

Perhaps the most worrying aspect for those Reddit users who joined after 2007, is that the hacker might be able to associate their username with their email address. After all, anonymity is one of the features that draws many users to Reddit, especially if participating in discussion groups on sensitive subjects or personal issues.

Reddit says that the reason some email addresses might be linked to users is because the hacker accessed logs containing the email digests the site sent between June 3 and June 17, 2018. In the United States, such email digests are enabled by default.

Reddit’s response to this is somewhat disappointing.

It says it plans to contact any users affected by the breach related to the 2007 database, but has made no such promises regarding the unknown (but potentially considerable) number of users who may have had their email address linked to their accounts.

Instead the company simply offers the rather lame suggestion of thinking about “whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.”

And, of course, it’s a good idea to change your password to something unique and hard to crack if you believe it may have been compromised, and to enable 2FA.

Hang on? 2FA? Isn’t that what was exploited to break into the Reddit employees’ accounts?

Well, yes. But the 2FA offered to Reddit users isn’t based upon a SMS that can potentially be intercepted. Instead, users are offered the ability to get a Time-based One-Time Password (TOTP) generated by an authentication app.

SMS-based 2FA has been frowned upon in recent years, as attacks have become more common.

So-called “SIM swap” fraud (where scammers trick phone carriers into giving them control of your phone number) are not uncommon, and there are plenty of examples of identity thieves hijacking cellphone accounts in their pursuit of virtual currency – all because they have been able to intercept 2FA tokens sent via SMS.

But for all the criticism that SMS-based 2FA receives from computer security experts, I think we would be unwise to consider it utterly disastrous.

Yes, it would be better if users had a hardware token or a means of authenticating themselves which did not require receiving an SMS message, but SMS-based 2FA is certainly better than no 2FA at all.

Many attempts to break into accounts *will* be prevented by SMS-based 2FA, and most criminals will simply move on to another target who hasn’t bothered to defend their online life with an additional level of authentication.

In summary, harden your online accounts with multi-factor authentication. And if the only protection offered to you is SMS-based, use that rather than nothing at all. It may not stop a particularly determined attacker, but it will still give your accounts a higher level of defence than that used by most internet users.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • Yeah, reddit's suggestions are a bit disappointing. I agree that 2FA via SMS is good enough in most cases. As it was said it is better than nothing. But if you are dealing with sensitive information wouldn't it be safer to get hardware tokens for your employee? They are not that expensive! Of course, depends on how high you value your reputation)))

    I am CSO in a small financial company. About 7 months ago hackers managed to get the passwords of our accountant department employees. 2FA was the only thing that prevented our funds from transferring to some Russian bank account. Thanks protectimus slims for saving my job. A bad news Reddit didn't use hardware security tokens.