Reddit Announces Account Data Breach

Originally published at:

Social news site Reddit has announced a relatively minor data theft that’s a good reminder to change old passwords, turn on two-factor authentication, and delete any Reddit content you don’t want linked to your email address.

I haven’t been able to enable two-factor authentication using the provided instructions. I’m using Safari. Any reason to think another browser might be required? When I logged into my account as the first step, I was prompted to add my email address. Although the process seemed to indicate that my email had been successfully added, clicking the enable two-factor link continues to inform me that I must add a verified email address. A button for verifying email is displayed in the same pop-up window, but when I click it, the window disappears and nothing else happens. If feels like a pop-up window problem, but I don’t have pop-ups disabled, and the first one certainly appeared without a problem. I’ve tried quitting the browser and starting again without success.

I was able to create 2fa on reddit yesterday using Safari, so it’s not anything to do with the browser.

Thanks. I was eventually able to find another widget at the site that let me verify my email address and proceed with enabling two-factor authentication, but I’m not sure I want to install a separate mobile app just to authenticate at reddit.

I have 2FA using an Authenticator app for Google accounts, Facebook, Twitter, Amazon, Microsoft, Dropbox, Backblaze, and Protonmail (thinking of switching from Gmail; not so sure yet.) Anywhere I can get 2FA, I get it. I want that one last bit of protection from somebody stealing an account.

The larger lesson is to avoid two-factor authentication systems that rely on SMS messages, since the breach of the Reddit employee accounts was facilitated by an SMS intercept.

Um…doesn’t Apple use SMS messages for their 2fa? That at least seems to be the case for accessing their Global Service Exchange (GSX) and Device Enrollment Program (DEP) portals. I would love it if I could get those to work with Authenticator or 1Password instead.

For Apple’s two-factor authentication (as opposed to two-step verification, which they’re deprecating) they have a direct channel to other enrolled Apple devices—you get a dialog on your Mac and iPhone and iPad that you can interact with to get the 6-digit code. Two-step verification does use SMS and I imagine that’s part of why it’s being phased out.

I don’t know how the GSX and DEP portals work.

Some relevant links: