The CyberPrivacy Brief:
- The security incident disclosed Wednesday by social media network Reddit verifies how attackers can intercept text messages or SMS-based two-factor authentication that delivers unique code to compromise accounts.
- Impacted user data includes email addresses and a 2007 database backup that had old salted and hashed passwords.
- Attackers also had read access to storage systems, including Reddit source code, internal logs, configuration files and other employee workspace files.
“We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said in its announcement. “We point this out to encourage everyone here to move to token-based [two-factor authentication].”
For years, security researchers have said that phone authentication apps or hardware tokens that generate One-Time Password (OTP) in addition to the traditional credentials may be the more secure method of authentication than SMS-based authentication, which can be highjacked providing attackers access to accounts.
Side-Channel Attacks on the Yubikey 2 One-Time Password Generator