Recently reddit disclose a secuity breach , hacker managed to get some user data including some current email addresses and salted and hashed passwords from a database backup back to 2007. The hack according to reddit announcment happened between June 14 and June 18 and they learned about it on June 19.
The most important issue about that hack is how it happened. The attacker compromised some employees account on their cloud and source code hosting providers.
Reddit employees use the two factor authentication “2FA” which known to be the most secure way to protect your account against account takeover and password theft. But the two factor authentication was SMS based so the code sent over the SMS to employee.
The attacker intercept the SMS and was able to take over the target employees accounts. It was a serious attack and the most scary part that it wasn’t related directly with how secure the reddit platform “Code” but the attacker intercepted the SMS.
Reddit take some serious steps to ensure that can’t be happen again. and we all Should too.
If you are a company you should consider thinking about your employees accounts securiy.
It’s not all about your code security or your servers and infrastructure security. Hackers can attack your employees and your physical office as well.
Be paranoid about all security chain starting from physical office security to your employees accounts and every step in between.
SMS can be hacked. Although there is some limitation when it comes to SS7 attacks that allows SMS to be intercepted but it become a reality and not TV fantasy anymore. So if you are using 2FA switch to token based instead of SMS based.
What made reddit attack limited is that the compromised employees permissions was read only. So the hacker was able only to read data.
Divide your employees to groups and every group has keys and accounts limited to thier work only. Each group have just the permissions they need to complete thier work.
At the end , Security isn’t just a ready steps to follow it’s a mentality and the whole company must feel the need.