Security Bits Logo

Security Bits – WebAuthn, Pentagon Says No GPS, Reddit Breach

Followups

Security Medium — The Reddit Breach

Reddit notified users that they’ve discovered a security breach that took place in June this year:

A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.

In theory a salted hashed password should be safe, but that’s only true if the password itself was strong and, and the hash was complex. The best-practices hashing algorithms from a decade ago were nowhere near as strong as today’s best-practice algorithms, so I would advise assuming the affected passwords have been, or will soon be, cracked.

So, based on that, my advice would be to:

  1. Reset your Reddit password.
  2. Enable Reddit’s token-based 2FA (instructions).
  3. If you used that same password anywhere else, change it there too.
  4. If you’re not already using a password manager, give it serious consideration! (I recommend 1Password for families)

What’s probably the most interesting thing about this hack is how the attackers got in — they used SMS spoofing to get around 2-factor-authentication protecting some back-end systems that power the service. We’ve known for some time now that SMS is insecure, and that SMS-based 2FA really is the least-effective form of commonly used 2FA. This really underlines the point. My advice to people is only to use SMS for 2FA when the only other choice is no 2FA at all. It may be the least effective form of 2FA, but any 2FA is better than none!

Links

Notable News

  • Un-patched Mikrotik routers being used in a massive cryptojacking campaign — nakedsecurity.sophos.com/…
  • Details have been released of an already-patched bug in Apple’s Mobile Device Management (MDM) platform that allowed Macs to be hijacked when they’re being enrolled in an organisations system. There’s no need to panic about this one because the bug was hard to exploit, only affected users who registered their devices with an MDM system, and has already been patched — www.macobserver.com/…
  • 🇺🇸 The WSJ has report that Facebook is in negotiations with US banks to integrate with Facebook Messenger, and hence to have data flowing between users and their banks through Facebook. This set off a lot of people’s privacy-spidie-senses, so Facebook responded by saying they didn’t want users banking data, just to offer cool features like the ability to see your bank balances in Facebook and to chat with bots by your bank on the platform — www.macobserver.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top