Reddit Suffers Data Breach: What You Need to Do Next

[Lucian Armasu]

Attackers were able to intercept the SMS two-factor authentication codes of Reddit employees and then use them to gain access to some of the company's user data.

Reddit Suffers Data Breach: What You Need to Do Next : Read more

 

[therealduckofdeath]

That sounds like a fairly elaborate hack. I wonder if a certain grumpy American intelligence agency is out doing some counter zpying on the election trolls?

 

[Chaos2Theory]

That sounds like a fairly elaborate hack. I wonder if a certain grumpy American intelligence agency is out doing some counter zpying on the election trolls?

Nothing quite beats election trolls like stealing account information from 2007....

 

[therealduckofdeath]

Nothing quite beats election trolls like stealing account information from 2007....

Connecting the dots. Finding old patterns of people. Who's pushing whom's buttons. You know, forensics and all that they say agencies like that usually do.

 

[lxtbell2]

The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?

 

[merlinq]

The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?

For one, and this is a BIG one:
Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
So if your "Second Factor Authentication" is also on your phone...
Well, it's not really second factor at all in the first place, is it?

Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

Modern hardware keys are really the only way to handle 2FA anymore:
They are easily carried;
In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
Can use standard USB protocol to communicate with just about any wired device known to man;
Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm [TOTP] response.)

 

[lxtbell2]

The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?

For one, and this is a BIG one:
Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
So if your "Second Factor Authentication" is also on your phone...
Well, it's not really second factor at all in the first place, is it?

Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

Modern hardware keys are really the only way to handle 2FA anymore:
They are easily carried;
In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
Can use standard USB protocol to communicate with just about any wired device known to man;
Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm [TOTP] response.)

1. It IS second factor authentication, and as secure. The first factor is password, not where the account is accessed. Also you need to plug the hardware key into the device "accessing the accounts" anyway. Don't see a problem with that.
2. Google Authenticator IS cryptographically secure. Read the implementation. Namely, you can't guess the next pin even with all previous pins.
3. Screen capture on phone requires extensive user permission, and invalidated upon end of capture session, due to #2 above.

 

[therealduckofdeath]

For one, and this is a BIG one:
Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
So if your "Second Factor Authentication" is also on your phone...
Well, it's not really second factor at all in the first place, is it?

Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

Modern hardware keys are really the only way to handle 2FA anymore:
They are easily carried;
In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
Can use standard USB protocol to communicate with just about any wired device known to man;
Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm [TOTP] response.)

By those standards, nothing is secure as anything can be stolen. It's a massive hurdle to get past to gain screen capture and key logging control over a smart phone. You'd basically have to steal the specific one and return it to the owner unnoticed. Sure, that's easy in Tom Cruise movies but not so much in real life. No security is perfect, but 2FA is infinitely safer than a plain password.

 

[Chaos2Theory]

For one, and this is a BIG one:
Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
So if your "Second Factor Authentication" is also on your phone...
Well, it's not really second factor at all in the first place, is it?

Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

Modern hardware keys are really the only way to handle 2FA anymore:
They are easily carried;
In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
Can use standard USB protocol to communicate with just about any wired device known to man;
Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm [TOTP] response.)

By those standards, nothing is secure as anything can be stolen. It's a massive hurdle to get past to gain screen capture and key logging control over a smart phone. You'd basically have to steal the specific one and return it to the owner unnoticed. Sure, that's easy in Tom Cruise movies but not so much in real life. No security is perfect, but 2FA is infinitely safer than a plain password.

Dead wrong, nearly all compromised accounts these days come from Phishing attacks, and 2FA does nothing to prevent phishing. Its really not much more difficult than obtaining a username and password, full stop.

Edit: 2FA using a code generated by any means, app on the phone, sms, or email. Physical 2FA keys on the other hand work really well.

 

[therealduckofdeath]

Dead wrong, nearly all compromised accounts these days come from Phishing attacks, and 2FA does nothing to prevent phishing. Its really not much more difficult than obtaining a username and password, full stop.

Edit: 2FA using a code generated by any means, app on the phone, sms, or email. Physical 2FA keys on the other hand work really well.

Your idea of all hackers homing in on each target with a vengeance is out of touch with reality. Almost all breaches use stolen password databases which are often obtained by exploiting either poor server security or lacking procedures. Trying to get onto one specific device and bypass all layers of security, undetected, to get to the 2FA is a lot of work for little return. Even agencies hacking countries use injected 0-day malware to randomly compromise computers on targeted networks and hope for the best return.
https://www.calyptix.com/top-threats/top-causes-of-data-breaches-by-industry-2018-verizon-dbir/

 

[Karadjgne]

So somebody figured out how to get deep into reddit? Why? What did they expect to find other than the accounts of 15yr old kids whose major contributions consisted of maintaining Webster's Vulgarity Dictionary, Thesaurus, and Localized Slang.

 

[TJ Hooker]

To be honest, this leak doesn't sound like a big deal unless you considered your Reddit account to be truly anonymous/untraceable to your real identity (and posted sensitive things accordingly). Which I'm sure a number of people do, but really shouldn't.

 

[Karadjgne]

Wonder how many ppl actually live at 123 4th Street, Someplace NY 12345.