Many tech experts recommend everyone use “two-factor authentication” to secure their online accounts, but sometimes that measure may not be enough, as Reddit learned this week.
The social media company was hacked after its two-factor authentication was breached. Two-factor authentication is an extra layer of security where users verify their identity with a password and also by inputting a code they receive by text, email, or via an app that generates two-factor codes when logging into an account.
Reddit was hacked when the codes used for two-factor authentication were intercepted from a handful of Reddit employees’ phones. Hackers were able to spoof the phone numbers to receive the texts themselves, breaking into the Reddit database. The company said “all Reddit data from 2007 and before” — including user emails, source code, and internal files — was compromised. (A Reddit spokesperson referred MarketWatch to this post for details.)
Reddit said in a statement the hack was discovered on June 19. It noted the attacker had “read-only” access to some systems, and that it was not able to alter any information.
“We are working with federal law enforcement, and have also taken measures to both address this current situation and prevent similar incidents in the future,” the company said in a blog post. “A small number of users were affected and have been notified.”
Two-factor authentication is recommended by most security experts to tighten security on devices. However, more than half of Americans have never heard of two-factor authentication and even fewer use it — less than 10% of Gmail users have two-factor authentication activated for their accounts, for example. As the Reddit incident showed, even security employees at major companies can be lax on two-factor security, often because it feels inconvenient to add extra steps to the log-in process, said Bill Evans, a vice president at security and identity firm One Identity.
“This is likely just another case of an organization trying to balance security with user, or it appears in this case, admin productivity,” he said. “Two-factor authentication takes time. It takes time for the user or admin to enter a second factor of authentication and as such, they get frustrated. But it does add a level of security.”
Reddit executives would have been better off using a code or “token” that changes in real time. Companies like Duo Security and Google Authenticator allow users to implement two-factor authentication via an app on their phone or a physical token like the RSA SecurID token, which flashes various codes on the physical device that users can input to verify their identity. It retails for around $40.
You can use two-factor authentication for many of the most popular social networks, including GOOG, +0.50% Instagram FB, +2.75% , Facebook, Twitter TWTR, +2.85% and more. The website Turn It On: The Ultimate Guide to Two-Factor Authentication allows users to search any site they are logging into to see if it offers the feature.
The Reddit hack is particularly concerning because the site’s users value their anonymity and often post personal stories, said Jessica Ortega, product marketing associate at security company SiteLock. Users are now at risk of having their accounts accessed or being tied to public posts made under formerly anonymous usernames.
“The disclosure of email addresses and their connected Reddit usernames could potentially mean attackers can identify and “dox users” (release their identifying information) who rely on Reddit for discussing controversial topics or posting controversial images,” she said.
The hack affects accounts made before 2007, but Reddit is suggesting all users change their passwords.
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch's free Personal Finance Daily newsletter. Sign up here.
