2 Replies - 770 Views - Last Post: 10 September 2018 - 05:55 AM

#1 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 15360
  • View blog
  • Posts: 61,603
  • Joined: 12-June 08

Reddit breach..

Posted 02 August 2018 - 08:53 AM

Heads up about a Reddit breach.

Short of it:

Quote

Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.

https://arstechnica....fa-is-that-bad/


Quote

TL;DR: A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.

What happened?

On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.

Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs. They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.

What information was involved?

All Reddit data from 2007 and before including account credentials and email addresses

What was accessed: A complete copy of an old database backup containing very early Reddit user data -- from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.

How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
[...]

https://www.reddit.c...at_you_need_to/

Quote

A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.

~arstechnica link above

Seems the apps that have the generated code are a moderate tick better. Personally I think everyone needs a giant novelty size keyring of RSA fobs tote around. ;)

Is This A Good Question/Topic? 0
  • +

Replies To: Reddit breach..

#2 Skydiver   User is offline

  • Code herder
  • member icon

Reputation: 7139
  • View blog
  • Posts: 24,246
  • Joined: 05-May 12

Re: Reddit breach..

Posted 25 August 2018 - 11:31 AM

Slightly off topic: perhaps a giant novelty sized key ring of RSA fobs will keep me from putting my RSA key fob in the laundry for a fourth time.
Was This Post Helpful? 0
  • +
  • -

#3 Carly Swinson   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 9
  • Joined: 10-September 18

Re: Reddit breach..

Posted 10 September 2018 - 05:55 AM

Hmmmmm RSA SecurID hardware tokens, interesting choice. I may also go with this idea. :^:
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1