Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Enlarge (credit: Misaochan)
A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.
In a post published Wednesday, Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.
Wednesday’s post said that the breached employee accounts were


Original URL: https://arstechnica.com/?p=1351801

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: