According to Alexa.com, Reddit.com is the fifth most popular website in the U.S. and 10th in the world.  On August 1, Reddit announced that they suffered a data breach.  They were hacked.

Reddit is a forum-hosting website. Reddit is often referred to as the “front page of the internet”.  It was founded in 2005.  Reddit is popular as a news aggregation service and discussion site.  Members submit various types of content and, often, the content is voted up or down by other members.  I visit the site to look at Seinfeld memes – J. Peterman, anyone?

According to Reddit, the site was breached between June 14 and 18, this year.  The thief stole current email addresses of some of the current registered users, along with a 2007 database backup of usernames, messages, and old passwords.  Other data, including Reddit source code, server logs, configuration files and employee workspace files, may have been compromised as well.

Currently, Reddit believes the hack occurred as the result of a relatively sophisticated attack against its two-factor authentication system.  Reddit uses two-factor authentication to add an extra layer of protection to the common username/password authentication system.  After entering a username and password, the system sends an SMS (text) message to the user, containing a secondary passcode.  When that passcode is entered, the user is able to access the site.  You are probably familiar with this type of two-factor authentication; many banks require it for access to online banking.

Two-factor authentication is a solid approach to enhancing authentication.  However, it’s clearly vulnerable, especially when the two-factor authentication uses SMS messages.

Through a rather complicated ruse, the bad guy can trick your cellular phone provider into transferring your number to another phone, a phone which he or she has access to.  When the secondary passcode is sent to your number, it is redirected to another device.  While the hack is complex and requires multiple actions to occur perfectly, it has been successful quite often.

Reddit reported the breach to authorities and made the public aware on August 1.  An investigation is underway.  According to Reddit’s announcement, if you were part of the breached data, you will receive a message from Reddit, prompting you to change your password.

If you are a registered user at Reddit, I’d suggest you not wait for a message; go ahead and change your password.

While you’re changing your Reddit password, if you practice the poor habit of reusing passwords on other sites, you’d better change all of your passwords. Often, this type of data breach is only the beginning of a painful experience for many – the bad guys may have stumbled upon the passwords or sought them specifically.

And, as always when a major breach happens, the bad guys will be lurking.  Given the popularity of Reddit, phishing messages should be expected.  Be careful if you receive any email message suggesting that you click a link to change a password.  If you have an account with a provider, visit the site directly from a web browser and begin the password reset feature there, not from within an unsolicited email message.

What’s this say about two-factor authentication?

Well, two-factor is better than the typical username/password scenario, but SMS messages can be impersonated; therefore, two-factor that doesn’t employ text-based passcodes should be pursued.

And I’d feel remiss if I didn’t wonder aloud, “Why did Reddit have a full user database backup from 2007 hanging around?”

William Greg Price is the Chief Technology and Security officer for Troy University and the Director of the Alabama Computer Forensics Institute. He currently represents District 2 on the Pike County Board of Education.