Reddit uses two-factor authentication (2FA) to authenticate its primary access points for code and infrastructure, but Reddit said SMS-based authentication, which was targeted by the attacker, is "not almost as secure" as the company thought. The attacker broke into some of its systems and got access to some user data, but did not manage to modify any of the site's content.
The company is sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. For example, even though the second factor may be generated by a mobile-based app, that one-time code needs to be entered into the same login page on a Web site along with user's password - meaning both the password and the one-time code can still be subverted by phishing, man-in-the-middle and credential replay attacks. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to. This means email addresses, user names, and salted and hashed passwords were likely accessed.
"We learned that SMS-based authentication is not almost as secure as we would hope", wrote Mr Slowe.
Reddit assures us that it's taken preventative steps to secure the site from additional attacks, as well as rotating all production secrets and API keys.
Moto Z3 launches with Verizon with a modular path to 5G
Moving on to Motorola One Power , the upcoming phone will be smartphone maker's second Android One device after Moto X4. The 835, which was last year's flagship chip, doesn't support 5G, but all of that magic will come in the Mod.
"This is personally identifiable data that's been exposed in what is unequivocally a data breach, why on earth wouldn't you notify people?" said renowned security researcher Troy Hunt, a specialist in data breaches affecting consumers. Not only that but email digests sent in June 2018 were also accessed. While Reddit has two-factor authentication in place for its employees, it used SMS-based authentication, which is less secure than other methods.
If you were impacted, you should absolutely change your password-especially if it's the same one you've used for over a decade.
When asked by the BBC, a spokesperson for Reddit refused to share any estimate for how many users may be affected.
Keith Graham, chief technology officer at SecureAuth + Core Security, said the news demonstrates that "organizations need to go further than just two-factor authentication, utilizing identity platforms that join silos of data together to create comprehensive identity controls".