Reddit hacked, in spite of SMS two-factor authentication

File photo Reddit mascots are displayed at the headquarters in San Francisco, California April 15, 2014. (REUTERS/Robert Galbraith)

Reddit on Wednesday reported a breach of security. The good news? Nothing too big, probably stolen. The bad news? It was a two-factor authentication scam.

During the mid-June break-in, the hacker had access to an old backup of Reddit, the data of the user such as hashed passwords from 2007. The offender also viewed logs of Reddit’s “e-mail digests,” which can link to a user name, an e-mail address, if you provided it.

In other words, the battle seems to be with only exposed e-mail address information for the existing users, and encrypted password data for a long time Reddit fans from more than a decade ago.

“The attacker does not get write access to Reddit systems; they have got read-only access to a number of systems that back up data, source code

other logs,” Reddit engineering’

“said in a post detailing the security incident.

More From PCmag

  • Russian Troll Farm, Just the Tip of a Disinformation Iceberg

  • Pre-Order Your Own Retro Arcade Cabinet for Just $299

  • Samsung Galaxy Tab S4 Features DeX for a PC-Like Experience’

  • Feds Indict Hackers to Steal 15 Million Payment Card Numbers

Nevertheless, the battle is raising alarm bells in the IT security community, because the attacker did that by breaking into employee accounts that were supposedly protected by two-factor authentication.

These accounts are configured to not only need a password when logging on, but also a special one-time password that would have sent about the employee’s smartphone via a TEXT message.

“We have learned that SMS authentication is not as secure as we hope, and the main attack was via a TEXT message to intercept,” Reddit is KeyserSosa said, without elaboration.

How does a hacker go about stealing TEXT messages? It is not as difficult as you might think. In the past, cyber criminals have assumed a victim’s identity to seduce mobile providers, in essence, giving them access to the person phone number. Hackers with technical expertise and the right hardware can also mess with mobile technologies to collect in the area of TEXT messages, or temporarily spoof the person’s phone number.

Whatever the case may be, Reddit is the use of the security incident to encourage the public to switch to non-SMS-based two-factor authentication. This includes your smartphone to generate the special one-time code via an app. Another solution is the use of a hardware-based security key, that is what Google has done to stop phishing, an employee of the company accounts.

If you don’t have two-factor authentication, it is a good idea to use it on your most important accounts, such as Facebook or your bank, which usually can be activated in the settings page. Even SMS verification is better than just protecting your account with a password.

For Reddit users who have their login information stolen in the breach, the website will reset passwords, and message of the respective users with tips on how they can protect themselves.

“Or Reddit you will be prompted to change your password, after thinking about the question of whether you still use the same password that you used on Reddit 11 years ago, on other sites today,” the site said.

This article originally appeared on

Follow us

Don't be shy, get in touch. We love meeting interesting people and making new friends.

Most popular