Last month, the world’s fourth most popular social media site, Reddit, was attacked and successfully breached by an unknown attacker, giving more evidence for all to adopt two-factor authentication.
Having recently surpassed Twitter by the number of active users, Reddit.com is the fourth most popular social media platform, and the most recent social media platform to suffer an attack of this magnitude.
You can read Reddit's announcement here.
Reddit Breach Motive
There isn’t much information on the motive of the attack, but the consensus seems to be that someone may have gotten upset with Reddit’s account ban policy, or one of the moderators on a thread was a little too controlling over the wrong person.
Personally, I’ve had one of my comments censored by a moderator on Reddit because I was being immature on one of my friend’s posts, but nobody knew he was my friend and that we joke around a little aggressively. I wasn’t too happy that my comment was removed, but that was not enough to motivate me to try and take down Reddit from the inside out.
Attack motives can vary widely but a pen test can help reduce the likelihood that an attacker will be able to breach and to play with your data or files.
Reddit Breach Details
Fortunately for the team at Reddit, the attacker was able to gain read-only access to their databases without the ability to change files. Had the attacker been able to edit files in the system, the breach would have probably been two or three times the size in terms of the number of files maliciously impacted.
The systems that were breached stored thousands of users’ backup data, source code, internal logs, and other files. As a remedy, Reddit has provided a link that their users can visit to check if their accounts were compromised, and RedLegg encourages you to do so.
Why You Need 2FA Security
If your Reddit account was compromised, RedLegg suggests changing your account password – and frankly all of your passwords – accordingly. We also suggest enabling two-factor authentication (2FA) security on your account, but NOT by using SMS. This stipulation is important because:
- The SMS form of 2FA is no longer recommended by Reddit after this breach.
- Surprisingly, securing your account with 2FA via SMS allows attackers to intercept SMS messages containing your 2FA code.
This is exactly what happened to Reddit: the attacker intercepted 2FA codes that were meant to reach the employees of Reddit. These intercepted SMS messages eventually circumvented the 2FA Reddit had in place, allowing the attacker to gain read-only access to the company database.
2FA Tokens, Not SMS
The concept of 2FA is great, but it’s more secure when it is deployed using a token rather than SMS. Token-based 2FA allows the user to enter their username and password to obtain a time-limited token. Once the token is obtained, the user can offer it as their authentication without entering a username and password again. If this sounds a little confusing, remember that the token method is the safest form of 2FA.
To better your overall security posture, RedLegg recommends a pen test to validate your current posture and to help close security gaps.
Just want more? Read...