News Articles

Reddit suffers massive breach as all user data before 2007 is compromised

Source: ITPRO, 01/01/2018

SMS-based two-factor authentication is `not as secure as we thought` the company admits Reddit has announced it had suffered a `serious attack` in June after a malicious actor intercepted its employees` SMS-based two-factor authentication (2FA) setup. An attacker compromised a handful of Reddit employees` accounts between 14 and 18 June and gained access to some recent user data, such as email addresses, and all data from between 2005 and 2007, including account credentials and email addresses. Announcing the breach following an investigation, the social news aggregator said it now realizes text message-based 2FA is `not nearly as secure as we would hope` and has recommended everyone moves to token-based 2FA - after identifying this as the most likely point of intrusion. `Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,` CTO Chris Slowe posted on Reddit`s announcements page. `They were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems.` Slowe said the company became aware of the breach the following day, on 19 June, and had been working with cloud and source code hosting providers to best understand the full extent of what was compromised. Among other information accessed were tailored `email digests` sent to users between 3 and 17 June this year, each linked with a username and email address, as well as other data such as Reddit source code, internal logs, and employee workspace files. Reddit says it has reported the incident to the relevant authorities and is forcing password-resets for users who may have been affected by the incident. Moreover, the company is taking measures to improve security beyond SMS-based 2FA - including enhanced logging, more encryption and token-based 2FA. The incident highlights the frailty of SMS-based 2FA, with industry voices overwhelming castigating text message as a secure authentication method in the wake of this breach. Phone number hijacking, for instance, spiked shortly after SMS-based 2FA became widely adopted, according to Toby Murray, a computing lecturer at the University of Melbourne. Even in 2016 the US Federal Trade Commission`s chief technologist Lorrie Cranor issued a warning about the ease by which attackers can steal mobile phone numbers in order to bypass 2FA and compromise their sensitive data, after it happened to herself. `Having a mobile phone account hijacked can waste hours of a victim`s time and cause them to miss important calls and messages. However, this crime is particularly problematic due to the growing use of text messages to mobile phones as part of authentication schemes for financial services and other accounts,` she wrote on the FTC`s website. `The security of two-factor authentication schemes that use phones as one of the factors relies on the assumption that someone who steals your password has not also stolen your phone number. `Thus, mobile carriers and third-party retailers need to be vigilant in their authentication practices to avoid putting their customers at risk of major financial loss and having email, social network, and other accounts compromised.` Meanwhile, Reddit`s Chris Slowe also announced the company had hired its first head of security two-and-a-half months ago, who he would not identify by name, adding `he has been put through his paces in his first few months`.


Search

  •    FLAWS: ANC treasurer-general Zweli Mkhize says elitist business models and a sluggish economy are limiting jobs.... Read more...
  •    A family travelling to South Africa for Christmas was turned away at the gate despite the country recently relaxing its strict rules on travelling with children. Paul Denning, his wife, son and daughter arrived at the check-in desk at Heathrow last week for flights to Johannesburg - booked at a cost of £3,000 - only to be told by Virgin Atlantic staff they did not have the required documentation and would therefore not be able to fly.... Read more...
  •    South Africa has successfully launched into space the continent’s most advanced nanosatellite to date ` the ZACube-2. The ZACube-2 will provide cutting edge remote sensing and communication services to South Africa and the region. “This satellite will help us monitor our ocean traffic as part of our oceans economy and also monitor veld fires and provide near real-time fire information ensuring a quick response time by disaster management teams.... Read more...
  •    The recent re-hashing of South Africa’s immigration regulations providing ‘clarity’ on the requirements for foreign minors to gain entry to the country has done nothing to help the destination market itself as a family-friendly destination.... Read more...
  •    HARARE (Reuters) - Several people were killed and some 200 arrested during protests in Zimbabwe on Monday, the government said, two days after it raised the price of fuel in an attempt to tame the worst economic crisis in a decade.... Read more...
  •    Statistics SA`s analysis of tourist arrivals between 2013 and 2014 fails to take into account that 2013 tourist arrival figures included transit passengers, while for 2014 these were excluded.... Read more...
  •    Microchips are a fact of modern life. They are in our washing machines and coffee makers, our cars, credit cards, even our cats and dogs.... Read more...
  •    South African Parliament‘s Home Affairs Committee wants Home Affairs officials working in the front line to be prohibited from using their cellphones during working hours.... Read more...
  •    Kenya records significant increase in 2018 tourist arrivals when compared with 2017. Kenya’s 2018 tourist arrivals surpassed the two-million mark, with a growth of 37.3%, reaching 2.025 million with the majority of the travellers visiting Kenya for holiday purposes.... Read more...
  •    SA`S NEW travel rules prevented our minor children from attending a family funeral. My wife and children were on holiday in Florence, Italy, and I had returned early to our home in Singapore when we received the tragic news that our three-year-old niece had passed away. We wanted to return to SA immediately, in time for the funeral last Friday.... Read more...

Get the latest Immigration News