Reddit hacked, urges users to turn on token-based 2FA

Reddit announced to users that the site had a "security incident."

"On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two-factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA."

Data accessed includes all Reddit data through 2007, including account credentials and email addresses, along with source code and employee workspace files.

We had a security incident. Here's what you need to know. [Reddit] Read the rest

TicketMaster UK: 'malicious software' may have allowed thieves to steal customer data

Ticketmaster UK today admitted that an unknown number of customers' data may have been stolen in a malware attack. Read the rest

Seafood-related queries from own internet-connected vending machines brought college network to its knees

A university, mercifully left unnamed, blew off complaints from students about its slow network. When the problem became too bad to ignore, their IT team found the culprit thanks to a "sudden big interest in seafood-related domains."

The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor and manage, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet. ... botnet spread from device to device by brute forcing default and weak passwords. Once the password was known, the malware had full control of the device and would check in with command infrastructure for updates and change the device’s password – locking us out of the 5,000 systems.

The Internet of Hacked Things strikes again! I'm sure some content filtering and updating passwords will do the trick. Read the rest

FBI investigating ‘teen stoner hack’ of CIA Director John Brennan

A pair of self-described teen stoner hackers say they breached an AOL account used by CIA Director John Brennan, the New York Post reported today. Read the rest

US says hackers stole Social Security numbers from 21.5 million people in OPM data breach

The new number is a lot higher than the 14 million figure investigators offered last month.

Data recovery firm gives man happy ending

Technology writer Mat Honan was "epically hacked," in a widely-circulated cautionary tale that should have you changing your passwords and turning on secondary authentication measures. The Novato, California-based firm DriveSavers helped Mat get his data back, and he traveled to the clean room to see how they did it. (wired.com) Read the rest