Last month, the world’s fourth most popular social media site was attacked and successfully breached by an unknown hacker. Having recently surpassed Twitter by the number of active users, Reddit.com is the fourth most popular social media platform, and the most recent social media platform to suffer an attack of this magnitude.
There isn’t much information on the motive of the attack, but the consensus seems to be that someone may have gotten upset with Reddit’s account ban policy, or one of the moderators on a thread was a little too controlling over the wrong person. Personally, I’ve had one of my comments censored by a moderator on Reddit because I was being immature on one of my friend’s posts, but nobody knew he was my friend and that we joke around a little aggressively. I wasn’t too happy that my comment was removed, but that was not enough to motivate me to try and take down Reddit from the inside out.
Fortunately for the team at Reddit, the hacker was able to gain read-only access to their databases without the ability to change files. Had they been able to edit files in the system, the breach would have probably been two or three times the size in terms of the number of files maliciously impacted. The systems that were breached stored thousands of users’ backup data, source code, internal logs, and other files. As a remedy, Reddit has provided a link that their users can visit to check if their accounts were compromised, and RedLegg encourages you to do so.
If your Reddit account was compromised, RedLegg suggests changing your account password – and frankly all of your passwords – accordingly. We also suggest enabling two-factor authentication (2FA) security on your account, but NOT by using SMS. This stipulation is important because:
- The SMS form of 2FA is no longer recommended by Reddit after this breach.
- Surprisingly, securing your account with 2FA via SMS allows hackers to intercept SMS messages containing your 2FA code.
This is exactly what happened to Reddit: the hacker intercepted 2FA codes that were meant to reach the employees of Reddit. These intercepted SMS messages eventually circumvented the 2FA Reddit had in place, allowing the hacker to gain read-only access to the company database.
The concept of 2FA is great, but it’s more secure when it is deployed using a token rather than SMS. Token-based 2FA allows the user to enter their username and password to obtain a time-limited token. Once the token is obtained, the user can offer it as their authentication without entering a username and password again. If this sounds a little confusing, remember that the token method is the safest form of 2FA.