Reddit Suffers Data Breach: What You Need to Do Next

Status
Not open for further replies.

Chaos2Theory

Honorable
Mar 3, 2013
203
0
10,760

Nothing quite beats election trolls like stealing account information from 2007....
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160

Connecting the dots. Finding old patterns of people. Who's pushing whom's buttons. You know, forensics and all that they say agencies like that usually do.
 

lxtbell2

Honorable
Jun 12, 2018
20
11
10,515
The key can be stolen or lost just like the phone. What is wrong with Google Authenticator if the phone is not stolen?
 

merlinq

Distinguished
Aug 7, 2012
19
2
18,515


For one, and this is a BIG one:
Many, if not most, people are (at least occasionally, if not) regularly accessing the accounts in question on their smartphone these days.
So if your "Second Factor Authentication" is also on your phone...
Well, it's not really second factor at all in the first place, is it?

Even if it was theoretically secured by a pin, that has always been pretty weak, and likely not at all cryptographically secure.

Modern hardware keys are really the only way to handle 2FA anymore:
They are easily carried;
In a generally separate location (who really physically ties their wallet or keys to their smartphone anymore?... if so, they should really learn better in this day and age);
Can easily communicate wirelessly with most available smartphones and devices (even apple, as of a year ago, the one stalwart against standardization.);
Can use standard USB protocol to communicate with just about any wired device known to man;
Can not (in knowledge) be emulated, only physical control of the key can duplicate the signed response, whereas anyone with an appropriate screencap can duplicate your authenticator (or any Time-based One-Time Password algorithm [TOTP] response.)
 

lxtbell2

Honorable
Jun 12, 2018
20
11
10,515


1. It IS second factor authentication, and as secure. The first factor is password, not where the account is accessed. Also you need to plug the hardware key into the device "accessing the accounts" anyway. Don't see a problem with that.
2. Google Authenticator IS cryptographically secure. Read the implementation. Namely, you can't guess the next pin even with all previous pins.
3. Screen capture on phone requires extensive user permission, and invalidated upon end of capture session, due to #2 above.
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160


By those standards, nothing is secure as anything can be stolen. It's a massive hurdle to get past to gain screen capture and key logging control over a smart phone. You'd basically have to steal the specific one and return it to the owner unnoticed. Sure, that's easy in Tom Cruise movies but not so much in real life. No security is perfect, but 2FA is infinitely safer than a plain password.
 

Chaos2Theory

Honorable
Mar 3, 2013
203
0
10,760

Dead wrong, nearly all compromised accounts these days come from Phishing attacks, and 2FA does nothing to prevent phishing. Its really not much more difficult than obtaining a username and password, full stop.

Edit: 2FA using a code generated by any means, app on the phone, sms, or email. Physical 2FA keys on the other hand work really well.
 

therealduckofdeath

Honorable
May 10, 2012
783
0
11,160


Your idea of all hackers homing in on each target with a vengeance is out of touch with reality. Almost all breaches use stolen password databases which are often obtained by exploiting either poor server security or lacking procedures. Trying to get onto one specific device and bypass all layers of security, undetected, to get to the 2FA is a lot of work for little return. Even agencies hacking countries use injected 0-day malware to randomly compromise computers on targeted networks and hope for the best return.
https://www.calyptix.com/top-threats/top-causes-of-data-breaches-by-industry-2018-verizon-dbir/
 

Karadjgne

Titan
Ambassador
So somebody figured out how to get deep into reddit? Why? What did they expect to find other than the accounts of 15yr old kids whose major contributions consisted of maintaining Webster's Vulgarity Dictionary, Thesaurus, and Localized Slang.
 

TJ Hooker

Titan
Ambassador
To be honest, this leak doesn't sound like a big deal unless you considered your Reddit account to be truly anonymous/untraceable to your real identity (and posted sensitive things accordingly). Which I'm sure a number of people do, but really shouldn't.
 
Status
Not open for further replies.