US online forum and news digest website Reddit has fallen victim to a hack, due to the inadequacy of its two-factor Short Message Service (SMS) security system. The hack took place in June and has compromised a relatively small number of accounts; exposing usernames, email addresses and passwords – some going back as far as 2007. Internal logs, source codes and configuration files were also jeopardised.
The attackers took advantage of the weakness in SMS two-factor security to penetrate employees’ admin accounts. Reddit has recommended that any account holder with a password dating back to 2007 should change it forthwith.
The company is also advising its account holders not to rely on SMS-based two-factor authentication – instead advocating the use of physical keys or apps. Sadly, Reddit doesn’t seem to have practised what it’s preaching.