The “serious attack” against Reddit, disclosed earlier this week, may have only resulted in a limited breach, but Reddit’s engineering team and many experts in the security industry believe it should be a strong wake-up call for organizations to bolster their methods of two-factor authentication (2FA).
According to Reddit’s engineering staff, “we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident,” which exposed old user data and hashed credentials. In its announcement of the scope of the breach, the firm encouraged fellow security professionals to move to token-based authentication.
That lesson was heard in a loud refrain from security pundits following Reddit’s disclosure.
“While lots of organizations think 2FA is a silver bullet for authentication, it actually isn’t, thanks to weaknesses in mobile networks that allow SMSes to be intercepted,”