Reddit was hacked in an unusual way

You'd assume that any sort of two-factor security is better than nothing, but think again. Hackers gained access to Reddit's databases after the company's employees had their two-factor tokens hijacked through the use of SMS hijacking.

By intercepting the two-factor tokens on the way to someone's device, the attackers were able to engineer their way in by gaining access to the two-factor token, then triggering a account reset via SMS and hijacking that as well.

As a result, the hackers gained access to a small amount of data, but quite a bit. Reddit says it was a number of email addresses, encrypted passwords and a 2007 database backup of the site, but the extent of the access seems unclear as Reddit says they also gained access to source code, logs and other backup data.

SMS two factor, frankly, is not safe. Just days ago, Motherboard published this wild story about SIM hijacking, in which an attacker transfers your phone number to a different SIM card, crippling your own access as they pillage your accounts. 

Attackers either convince a customer service representative to do the swap, or in many cases, have access to perform the swap themselves via carrier internal tooling that isn't well secured:

I gave Thug my phone number as a test, and the hacker sent back a screenshot that contained my home address, IMSI number (a standardized unique number that identifies subscribers), and other theoretically secret account information. Thug even saw the special instructions that I gave T-Mobile to protect my account.

Phone numbers, unfortunately, have become master keys in many cases, the one-stop-shop for your identity, and confirming that you are really who you claim to be. There's a reason Google moved all of its employees to a physical security key plugged into the USB port: it works.

SMS-based two-factor is not two factor, and Reddit just learnt that the hard way. You're better off buying a physical security key if you have the patience to deal with that, or at least using an app like Authy or 1Password to deal with the second-factor outside of your phone.

All of this aside, it's wild that attackers got into Reddit this way, and I don't think these types of attacks are going to slow down. It's best to protect yourself, and check your accounts have two-factor enabled (please enable it if you don't have it), then check if it's SMS based.

If the story of Mat Honan's devastating hack is any lesson, it's that the consequences can be downright awful.

WhatsApp starts pushing to make money

In July, we got the news that the last co-founder of WhatsApp was leaving the company over rifts relating to monetization and privacy concerns. Now, just a month later, Facebook is going all-in on that desire to squeeze cash out of the company... with its first API for the messaging service.

Here's how it will work: WhatsApp Business API is a new product that lets businesses provide support and automate messaging on the platform. The monetization is where the twist is, however: it'll be free for businesses to reply in the first 24 hours, then it'll cost them after that.

Yes, it's a time-constrained API billing model, and it appears that it's designed to make businesses extra snappy in replying on the platform. In exchange for using the tool, businesses will get actual profiles on the platform, too.

It appears that Facebook is pushing those that are interested to "authorized service partners" instead of offering carte-blanche access to APIs, after the last few months of scandals. 

To build out your integration, or just reply to messages, you're pushed to other vendors like Dutch startup Messagebird, or Twilio, to integrate. Platforms like Messagebird are even offering SMS fallback, in case notifications aren't pushed to the user fast enough.

This is a big shift for WhatsApp, which has been fairly hostile to businesses on the platform to date, likely while the founders still had a say in what happened to the app. 

Now, Facebook is pushing for change to the product quickly and it appears that it's planning to start with advertising in the coming months as well. If the rate of development in Instagram is any indication, the app won't look anything like itself in just a few months.

Tab Dump

The tiny Surface Go is out today
Good news! I've got one in the mail to review, and I'll be sharing my insights from that here first next week. Jump into recharged chat with any questions in the next few days!

Apple is killing its affiliate program
I actually didn't realize this existed, but the Apple affiliate program was responsible for hundreds of businesses existing. By referring people to download apps, they got paid by Apple, and reading the story of TouchArcade, which might die as a result of this change, makes me think it wasn't very well considered.

Facebook's security chief is leaving. He isn't being replaced.
I struggle to understand the logic here, and this part reads even worse: "In an internal Facebook post from January written by Mr. Stamos, which was obtained by The Times, he said the company’s security team was being reorganized and would no longer operate as a stand-alone entity."

Google is planning a censored version of its search engine in China
I plan to write more about this whole thing tomorrow, but this has so much history behind it that I'm surprised Google wants to go back.