Reddit, the front page of the internet as they call themselves, is one of the most visited pages online. According to Alexa Internet they rank as the #3 most visited websites in the US und #6 worldwide which is quite an achievement – just imagine how many registered users the page must have. And now imagine how many users are affected, when it gets hacked, which is exactly what happened.
The stolen data is oooooold
According to reddit the attack happened between June 14 and June 18. The cybercriminal apparently managed to compromise some of the employees’ accounts and gain access to some of the systems that contained backup data, source code, and some logs. While reddit admits that it was a serious attack, they also point out that it could have been far worse if the user would have gained access to other systems.
Reddit itself lists the stolen data as following:
- All Reddit data from 2007 and before. This includes account credentials (username + salted hashedpasswords), email addresses, and public as well as private messages. The site itself was launched 2005, so that’s 2 years’ worth of user information.
- Email digests sent in June 2018. This includes the email that was sent and the username and email address to which is was sent.
In case your account information might have been compromised by the attack, reddit will send you an email with further information. Also: if you have an old account and have a) never changed the password and / or b) have other accounts that use the same one, now might be a good time to change it.
Yes, 2FA can be bypassed
Now before you are thinking that it’s yet another company whose employees did not care for security you are mistaken. Apparently the targets even used a kind of two factor authentication – it just was the least secure one, the SMS-based version. While still better than nothing it is way too easy to intercept the messages. The US National Institute for Standards and Technology even advised against using it some years ago.
Nonetheless and just to make a point: Before you use no 2FA, please use the SMS one. If you have the choice though, opt for a token based or similar system.
this post first appeared on the Avira Blog