Reddit got hacked – the forum-hosting website announced recently. Those that hacked Reddit gained read-only access to some systems containing backups of user data and source code. Reddit announced on the 2nd-Aug-2018 that their site was breached between June 14 and June 18 of this year.
According to a post on Reddit platform , they noticed the breach on the 19th of June, here is an excerpt from Reddit:
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.
Now that we’ve concluded our investigation sufficiently to understand the impact, we want to share what we know, how it may impact you, and what we’ve done to protect us and you from this kind of attack in the future.”
How the Hackers Gain Access
From they excerpt above you can see that the the SMS–based authentication a type of a two factor authentication (2FA) used by Reddit present a kind of loop hole for hackers. The Hackers were able to intercept SMS sent to Reddit administrators at the back before the can authenticate a login.
If you are a Reddit user or intend to be, you don’t have to worry. The hacker was only able to obtain user data from accounts created before May 2007. Most accounts created after that date are safe. Reddit have sent messages to all users affected and they are directed to change their password.
The Hacker also obtained logs containing Reddit’s email digests sent between June 3 and June 17 of this year. If you did not have an email address associated with your account, or weren’t receiving digests during that period, this part won’t impact you.
Read Also : Motorola To Make Foldable Smartphone
How Reddit have Handle the Hack
Reddit have done due diligence, they reported the issue to law enforcement and are cooperating with their investigation. They also informed affected users. The affected users are told to change their password.
How to Get Your Account more Secured of Reddit
The biggest reveal of this hack is how weak SMS-based 2FA mechanisms are when any Hacker can intercept text messages or have your phone number transferred to another phone.
Underling weaknesses inherent to SMS-based 2FA is the root cause of this incident.
If you are user of Reddit I will adjure you to used 2FA ,not the SMS based but rather the token based like Google Authenticator. Do all can to protect your self and your account.