Analyzing the Reddit Data Breach

Between 14th and 18th June, Reddit reports that hackers compromised accounts belonging to their employees and consequently, gained access to some old database backups from 2007 and a couple of current email addresses. The database from 2007 contained usernames, emails and salted & hashed passwords


Hackers were able to hijack employee accounts through a technique called SMS-intercept, whereby messages sent to the target were redirected to the attacker. The fundamental principle behind the attack was SMS-based authentication; This allowed the miscreants to gain control over the accounts.

What bothers me most is that Reddit, the hub of the internet, was using such an outdated authentication mechanism. Two years ago, in 2016, the National Institute of Standards and Technology declared SMS-based authentication obsolete, claiming that this technology had no future whatsoever: https://techcrunch.com/2016/07/25/nist-declares-the-age-of-sms-based-2-factor-authentication-over/

By blatantly ignoring these warnings, Reddit has put our precious credentials at stake. Nevertheless, they promise to switch to token based two-factor authentication and they encourage others to do likewise.

But will the use of token based two-factor authentication solve the problem? Well, not for long. Just recently, researchers have found bugs in the old JSON web token libraries. Finding a permanent fix is almost unrealistic in the cyber world. Unfortunately, until the next best authentication mechanism comes out, we'll have to rely on this.
Two-Factor Authentication 4423454456229722630

Post a Comment


Home item

Special Offers

Popular Posts

Random Posts