SA Migration International

News Articles

Reddit suffers massive breach as all user data before 2007 is compromised

Source: ITPRO, 01/01/2018

SMS-based two-factor authentication is `not as secure as we thought`
the company admits
Reddit has announced it had suffered a `serious attack` in June after
a malicious actor intercepted its employees` SMS-based two-factor
authentication (2FA) setup.
An attacker compromised a handful of Reddit employees` accounts
between 14 and 18 June and gained access to some recent user data,
such as email addresses, and all data from between 2005 and 2007,
including account credentials and email addresses.
Announcing the breach following an investigation, the social news
aggregator said it now realizes text message-based 2FA is `not nearly
as secure as we would hope` and has recommended everyone moves to
token-based 2FA - after identifying this as the most likely point of
intrusion.
`Although this was a serious attack, the attacker did not gain write
access to Reddit systems; they gained read-only access to some systems
that contained backup data, source code and other logs,` CTO Chris
Slowe posted on Reddit`s announcements page.
`They were not able to alter Reddit information, and we have taken
steps since the event to further lock down and rotate all production
secrets and API keys, and to enhance our logging and monitoring systems.`
Slowe said the company became aware of the breach the following day,
on 19 June, and had been working with cloud and source code hosting
providers to best understand the full extent of what was compromised.
Among other information accessed were tailored `email digests` sent to
users between 3 and 17 June this year, each linked with a username and
email address, as well as other data such as Reddit source code,
internal logs, and employee workspace files.
Reddit says it has reported the incident to the relevant authorities
and is forcing password-resets for users who may have been affected by
the incident. Moreover, the company is taking measures to improve
security beyond SMS-based 2FA - including enhanced logging, more
encryption and token-based 2FA.
The incident highlights the frailty of SMS-based 2FA, with industry
voices overwhelming castigating text message as a secure
authentication method in the wake of this breach. Phone number
hijacking, for instance, spiked shortly after SMS-based 2FA became
widely adopted, according to Toby Murray, a computing lecturer at the
University of Melbourne.
Even in 2016 the US Federal Trade Commission`s chief technologist
Lorrie Cranor issued a warning about the ease by which attackers can
steal mobile phone numbers in order to bypass 2FA and compromise their
sensitive data, after it happened to herself.
`Having a mobile phone account hijacked can waste hours of a victim`s
time and cause them to miss important calls and messages. However,
this crime is particularly problematic due to the growing use of text
messages to mobile phones as part of authentication schemes for
financial services and other accounts,` she wrote on the FTC`s website.
`The security of two-factor authentication schemes that use phones as
one of the factors relies on the assumption that someone who steals
your password has not also stolen your phone number.
`Thus, mobile carriers and third-party retailers need to be vigilant
in their authentication practices to avoid putting their customers at
risk of major financial loss and having email, social network, and
other accounts compromised.`
Meanwhile, Reddit`s Chris Slowe also announced the company had hired
its first head of security two-and-a-half months ago, who he would not
identify by name, adding `he has been put through his paces in his
first few months`.

Search

Latest News

This was revealed in the 2025 Easter border operations report, which saw border management authority officials, saps officers and home affairs workers intensify efforts to prevent illegal travel into the country over the holiday period.JOHANNESBURG - Zimbabwean nationals have been identified as the leading individuals attempting to illegally gain entry into South Africa.... Read more...

THE High Court has nullified the re-registration of a birth certificate for a child born out of wedlock, ordering the Registrar-General to strike it from the records.This ruling declared the birth certificate invalid, questioning the legality of attributing paternity to a deceased man decades after his death.The dispute arose from a contested inheritance involving the late Lazarus Mkuduâs estate.Teresiah Mkudu, the applicant, sought a declaratory order to invalidate Ruvimbo Manyondaâs birth certificate, issued nearly 20 years after Mkuduâs death.... Read more...

Residents from 34 countries can now apply for a visa to South Africa online. There are now 34 countries that can apply for a visa to South Africa online, which National Treasury says will help attract more tourists and skills into the country.This was trumpeted in Wednesday`s Medium-Term Budget Policy Statement (MTBPS) as being one of the key successes of Operation Vulindlela. Operation Vulindlela is a joint initiative of the Presidency and National Treasury to assist in the acceleration of critical reforms needed to accelerate the economy.... Read more...