Once more unto the breach, dear friends.
Reddit, the popular social networking site, announced today that they’d been hacked and that attackers had gotten access to users’ personal information:
All Reddit data from 2007 and before including account credentials and email addresses.
What was accessed: A complete copy of an old database backup containing very early Reddit user data – from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
It’s bad news for Reddit, but what’s most interesting is that, per their
blogpost, the hacker seems to have obtained access to user data by circumventing Reddit’s two-factor authentication, intercepting SMS messages with one-time login codes.
Two-factor wha’?
It sounds techy, but if you’ve ever used an ATM, you’re familiar with two-factor authentication (also called 2FA). To access your account or withdraw money, ATMs require something you have (your bank card) and something you know (your four-digit PIN).
The same thinking is behind 2FA for email, Twitter, Facebook, and many other web services.
If you’re like over 90 percent of Gmail users, you don’t use 2FA. You type something you know (your password), and you’re on your way.
2FA adds another step — the something you have. After you type in your password, you receive a six-digit code in a text message that you have to type into your web browser.
Here’s 2FA in action: