How the reddit security breach reminds us to be careful

reddit recently disclosed in their announcements feed of a security breach into their system which the hacker "managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords." Include in the disclosed information was some reddit source code and some log files.

They went on to say in the announcement that the hacker did not obtain writing access into their system, but read-only. So the company urged users who have used the platform anywhere near 11 years ago to reset their password and consider enabling 2-factor authentication.

Jessica Marie, cybersecurity evangelist at WhiteHat Security, had this to say about the incident:

"Simply put, web applications are vital for today’s enterprises, offering a gateway to interact with consumers at any time, on any device. With so many consumers using web applications to access everything from their email to their bank accounts, security must be a top priority. According to WhiteHat Security research, web applications are consistently the most exploited means of entry into companies by hackers, and yet, companies are still failing to implement proper application security, to avoid being a vulnerable target.

"In the instance of reddit’s consumer data breach, it confirms again that security testing efforts are lacking and need to be the first step to protect against vulnerable targets, such as websites, databases, network connections, mobile applications, and APIs. With that said, we as users need to be better at taking security precautions, as well. I realize this is common sense, but it bears repeating:

Best practices for website user security

• Don’t use the same password for all sites and apps. If one site or app is breached, it’s possible that all of your accounts would be a target. At the very least, use a variety of passwords to minimize the impact.
   
• Turn on two-factor authentication for any app or site that supports it. Yes, it can be a pain, but it’s an effective strategy to protect your online accounts.
   
• Only log into sites that use SSL; you’ll know this by checking if there is an ‘https://' before the rest of the URL.
   
• Don’t click on any links or attachments in instant messages or emails. They may seem interesting or completely safe, but chances are, you’re putting your personal data at risk."