Hackers Snagged Reddit IT Admin Accounts
Reddit is the most known discussion forum on the internet, and later today they announced that the hacker managed to fiddle with their system and have managed to leak user’s data and other information.
In a post-mortem, Reddit said the attack was serious and resulted in an old database backup and a newer set of “email digests” sent to users being accessed.
In a statement, Reddit said that the attack was severe and it has cost them old database backup being accessed. The backup files have information like username, hashtags, passwords and other public content. The files also had private messages of users from 2005 till 2007, besides employees’ workspace files.
Nevertheless, the hackers were not able to gain entry into Reddit systems and hence could not delete any files or data. The only way they gained access was through Reddit employee accounts with their cloud and source code hosting providers. Reddit has a two-factor authentication to keep its staff login secured, and the response code was transmitted via SMS, which was intercepted by the hackers.
Reddit founding engineer Christopher Slowe said “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,”
SMS authentication continues to be widely used, in spite of the fact that it is insecure. Reddit has now decided to protect its staff logins with token-based 2FA rather than SMS codes. It will notify affected users of the data breach, and reset their passwords, said Reddit.
Some Reddit users reported that they had already received extortion-based phishing emails that cited the hacked credentials.
The emails quote the passwords taken from the 2007 database backup, and claim malware has been installed on users’ computers that are able to record what’s on the screen as well as activate the webcam.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.