"Reddit Hack Shows Limits of MFA, Strengths of Security Training"

The recent Reddit hack demonstrates that attackers are continuing to find new ways to circumvent multi-factor authentication (MFA) solutions. Reddit notified its users on January 9 that a threat actor had successfully tricked an employee into clicking on a link in an email sent as part of a spearphishing attack. The link led to a website that mimicked the behavior of its intranet gateway in an attempt to steal credentials and second-factor tokens. Reddit noted in its advisory that the compromise of the employee's credentials provided the attacker access to internal documents, dashboards, and code for several hours. Techniques such as MFA fatigue and "bombing" make bypassing two-factor authentication (2FA) easy. The transition to the next level beyond 2FA has begun. For example, providers of Identity and Access Management (IAM) solutions are adding more context to access requests, such as the user's location, to help evaluate whether access should be validated, according to Tonia Dudley, CISO of the phishing protection company Cofense. Additionally, the Reddit hack highlights the benefits that employee training can provide. After entering credentials on the phishing website, the employee thought something was wrong and immediately called Reddit's Information Technology (IT) department, thus reducing the attacker's window of opportunity and lessening the damage. This article continues to discuss the recent Reddit hack and the lessons this incident provides.

Dark Reading reports "Reddit Hack Shows Limits of MFA, Strengths of Security Training"