Published: Fri, August 03, 2018
Electronics | By Shannon Stone

Reddit hack reveals limitations of two-factor authentication security

Reddit hack reveals limitations of two-factor authentication security

Specifically, every user account that was created between the site's launch in 2005 until May 2007 has potentially had its username, email address, salted hashed password, and private messages (during that timeframe) accessed. Since the company isn't clear about the breach's size, breaches are often worse than they first appear, and you've nothing to lose by doing it, you might as well change your password as a precaution though.

"In the Digital Identity Guidelines published by NIST previous year, SMS-based authentication is considered risky and its use is restricted".

According to Reddit, if you have your email address tied to your username and you were subscribed to the "email digest" during the mentioned dates, then you are affected. Because of this, the Reddit team is recommending that everyone move to two-factor authentication (2FA) just in case the hackers attempt to use their login credentials.

What Reddit didn't detail is what method was used to encrypt the passwords. What's interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security. Fortunately, the hacker/hackers only gained access to backups from May 2007.

Fundamentally, two-factor authentication involves combining something you know (the password) with either something you have (a device) or something you are (a biometric component, for example).

Reddit said it is resetting passwords on these early accounts in which the log-in credentials may still be working.

Do you have more information about this or any other technology story? Another solution is to use a hardware-based security key, which is what Google has done to stop phishing on company employee accounts. The company has said that "if there's a chance the credentials taken reflect the account's current password", it will make you reset your Reddit account password. Its global user base is 330m - similar to Twitter.

Logs containing the email digests Reddit delivered between June 3 and June 17 of this year were also accessed.

Indeed, while 2FA is a vital security tool, it does have its weak points.

Today Reddit announced a security incident that occurred in the middle of June. Unfortunately many sites do not support any kind of 2-factor authentication - let alone methods that go beyond SMS or a one-time code that gets read to you via an automated phone call. "Many online services mirror and cache old Reddit data, so there may be no way to take back past comments shared online", he said.

Like this: