Reddit notified its users yesterday of a data breach that occurred on June 19th but it appears that the hacker only accessed a backup file containing email addresses and hashed password data from 2007. “The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs,” a Reddit engineer said. However, the IT world is quite concerned because the attacker managed to hack into employees’ accounts which were protected by two-factor authentication which required a password and a one-time password sent via SMS to the user’s smartphone. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” the engineer said. Reddit has notified law enforcement officials and are notifying the affected individuals. Reddit users who may have had their credentials compromised will receive tips on how to protect themselves and the website will reset their passwords. The company also advised affected users to change the password on other sites if they have been using the same one for the past eleven years.
