The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better — are failing to adequately lock down their privileged accounts.

An excerpt from Reddit’s mea culpa says it all: “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” Read more.