The Social Media service, Reddit, was reportedly breached according to a blog post released August 3rd. The service revealed that in June, a hacker accessed one of its older servers and compromised emails, data verification and everything that was in the server up to 2007.
What caused the breach was the lack of a simple yet overlooked security measure. Dual-factor authentication has become increasingly popular to secure their passwords and their accounts. (Cyber Tip DFA) In Reddit’s case, the employees did not do a proper job in setting up the service. Instead of a key you get from the site when you log in, they used a simple pin or even their phone numbers to log in. This made it easy for hackers to find those who worked for Reddit and enter the site. The damage at this time seems to be like other hacks in that they accessed the passwords through compromising the employee’s administrator accounts.1
What this hack has done is expose a weakness in dual-factor authentication. While it works if used properly, the various methods used to activate them vary. Those compromised in the hack used SMS based authentication, i.e. using their phones as their second source. Tech companies had, for years, raised concerns about using your phones as your only way for activating your dual-factor authentication. The reason why is because hackers can use a process called SIM swapping, essentially switching the codes of your SIM card remotely and having free access to your files from there. Hackers essentially used one person’s phone number to get into one of the largest social network sites on the internet and steal people’s email address and accounts.2
The dangers and risks of your data being compromised is the biggest thing facing not only tech companies but any company that uses computers for their everyday business. Dual-factor authentication is still a good step to take, but you can’t just rely on your phones, you need something more secure than just your phone number. Social engineering can also compromise your data with just a few clicks on the wrong page.
1https://www.businessinsurance.com/article/20180802/NEWS06/912323092/Reddit-says-user-data-between-2005-and-2007-breached
2https://www.wired.com/story/reddit-hacked-thanks-to-woefully-insecure-two-factor-setup/