Reddit Breach Shows Threats of SMS Based 2F-Authentication
- Salman Ahmed
- August 2nd, 2018
On 1st August 2018, Reddit officials announced that their forum attacked by some anonymous hackers in June, which revealed some of their core processing units data. However, the amount of data and its intensity, which was accessed by these hackers was not that crucial.
The primary reason regarding data breach by hackers was due to proneness of SMS based Two Factor Authentication, which must be an alarming situation for the forums like Reddit that they still using this security providing mechanisms.
A post by Reddit CTO Chris Slowe stated, “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.
Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.
Now that we’ve concluded our investigation sufficiently to understand the impact, we want to share what we know, how it may impact you, and what we’ve done to protect you and us from this kind of attack in the future.”
Furthermore, Reddit Official also explain that dependency on SMS two-factor authentication is not on a regular basis, but it is occasionally used when as an option when authenticator of the app or token doesn’t work sometimes.
And There is no doubt that Reddit security provides exceptional safety and security for users that, although due to not discover more secure alternatives to an authenticator or token mechanism. And also the SMS based Two Factor Authentication is already declared as one of the worst security tools by NIST in 2016.