Photo by Harris & Ewing
Reddit Announces Account Data Breach
Social news site Reddit has announced that an attacker accessed some of its user data in June 2018. The breach isn’t severe, as the account data stemmed from the site’s earliest days, between 2005 and 2007, along with email digests sent in June 2018. Regardless, if you’re a Reddit user and aren’t certain that you’ve changed your password in the last decade, you should do so and enable two-factor authentication. Reddit also recommends deleting anything you’ve posted to Reddit that you may not want associated with your email address.
The larger lesson is to avoid two-factor authentication systems that rely on SMS messages, since the breach of the Reddit employee accounts was facilitated by an SMS intercept. Instead, use systems that rely on an authentication app, like 1Password, Authy, or Google Authenticator.
I haven’t been able to enable two-factor authentication using the provided instructions. I’m using Safari. Any reason to think another browser might be required? When I logged into my account as the first step, I was prompted to add my email address. Although the process seemed to indicate that my email had been successfully added, clicking the enable two-factor link continues to inform me that I must add a verified email address. A button for verifying email is displayed in the same pop-up window, but when I click it, the window disappears and nothing else happens. If feels like a pop-up window problem, but I don’t have pop-ups disabled, and the first one certainly appeared without a problem. I’ve tried quitting the browser and starting again without success.
I was able to create 2fa on reddit yesterday using Safari, so it’s not anything to do with the browser.
Thanks. I was eventually able to find another widget at the site that let me verify my email address and proceed with enabling two-factor authentication, but I’m not sure I want to install a separate mobile app just to authenticate at reddit.
I have 2FA using an Authenticator app for Google accounts, Facebook, Twitter, Amazon, Microsoft, Dropbox, Backblaze, and Protonmail (thinking of switching from Gmail; not so sure yet.) Anywhere I can get 2FA, I get it. I want that one last bit of protection from somebody stealing an account.
Um…doesn’t Apple use SMS messages for their 2fa? That at least seems to be the case for accessing their Global Service Exchange (GSX) and Device Enrollment Program (DEP) portals. I would love it if I could get those to work with Authenticator or 1Password instead.
For Apple’s two-factor authentication (as opposed to two-step verification, which they’re deprecating) they have a direct channel to other enrolled Apple devices—you get a dialog on your Mac and iPhone and iPad that you can interact with to get the 6-digit code. Two-step verification does use SMS and I imagine that’s part of why it’s being phased out.
I don’t know how the GSX and DEP portals work.
Some relevant links:
Join the discussion in the TidBITS Discourse forum