A SIM card is the tiny, removable chip in a mobile device that allows it to connect to the provider’s network. In one common scenario, known as a SIM-swap, the attacker masquerading as the target tricks the target’s mobile provider into tying the customer’s service to a new SIM card that the bad guys control. Nevertheless, there are a variety of well established ways that attackers can intercept one-time codes sent via text message. Reddit didn’t specify how the SMS code was stolen, although it did say the intruders did not hack Reddit employees’ phones directly. “We point this out to encourage everyone here to move to token-based 2FA.” “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit disclosed. Of particular note is that although the Reddit employee accounts tied to the breach were protected by SMS-based two-factor authentication, the intruder(s) managed to intercept that second factor. The incident also exposed the email addresses of some users who had signed up to receive daily email digests of specific discussion threads.
Reddit said the exposed data included internal source code as well as email addresses and obfuscated passwords for all Reddit users who registered accounts on the site prior to May 2007. In a post to Reddit, the social news aggregation platform said it learned on June 19 that between June 14 and 18 an attacker compromised a several employee accounts at its cloud and source code hosting providers. What’s interesting about the incident is that it showcases once again why relying on mobile text messages (SMS) for two-factor authentication (2FA) can lull companies and end users into a false sense of security.
As Web site breaches go, this one doesn’t seem too severe.
today disclosed that a data breach exposed some internal data, as well as email addresses and passwords for some Reddit users.
0 kommentar(er)
