Reddit Hacked and reveal how porus the SMS 2FA is not safe

Reddit Hacked Through 2FA – Two Factor Authentication Using SMS

Reddit has announced that their forum hosting platform was hacked.  Reddit is the foremost community forum for social news aggregation,  web content rating and discussion website.

For most Zambians who don’t know Reddit you can check it and if you are power news hungry and content seeker that will be your platform.

Reddit is similar to Facebook but different in many ways. 

  • User’s interest are center of experience with Reddit while
  • User’s friends are center of experience on Facebook
  • At Reddit reward for a good post is Karma while Facebook is Likes
  • Sexual obsession is core at Facebook however Reddit doesn’t care and you can open as many accounts as you wish.

More On Reddit Paradise Papers discovery first happened on Reddit

 

How it happened – Reddit Hacked.

We had a security incident. Hackers intercepted the SMS from the 2FA and then used the code in the SMS to access backend data.  The hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. KeyserSosa announced.

In cryptography Salt is a random data that is used as an additional input to a one-way function that “hashes” data e.g a paraphrase. Salt protects users stored password from been read by the system. However once you have access to a database there are several tools that crack salted and hashed passwords.

Information that was accessed dates back to accounts that were opened before 2007. So if your account was opened after you are not affected. Yet still Reddit is actively resetting passwords to all accounts that were opened before that period.

 

What You Need To Do According to Reddit

  • Check if your account credentials were affected and there’s a chance the credentials relate to the password you’re currently using on Reddit. We’ll make you reset your Reddit account password.
  • Whether or not Reddit prompts you to change your password, think about whether you still use the password you used on Reddit 11 years ago on any other sites today.
  • Read the full instructions at Reddit Anoucement

It will also be wise to check the following:

If your email address was affected, think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address. You can find instructions on how to remove information from your account on this help page.

And, as in all things, a strong unique password and enabling 2FA (which we only provide via an authenticator app, not SMS) is recommended. Be alert for potential phishing or scams.

 

More: Reddit has even thrown in a vacancy

On a related note, if you’d like to help out here and have a security background, we actually have a couple of open security roles right now.

 

 

Post Author: Funashi Mwamba

Funashi knows about everything and a lot about something and usually writes about those somethings.