Credential Attacksmedium

Reddit SMS MFA Bypass: Attacker Intercepts Texts to Access Employee Accounts

An attacker compromised several Reddit employee accounts by intercepting SMS-based two-factor authentication messages. The employee accounts had access to source code, email digests, and a 2007 database backup containing credentials.

Reddit·2018·2 min read

Background

Reddit was using SMS-based two-factor authentication (2FA) for employee accounts in 2018. SMS 2FA sends a one-time code via text message to the user's phone, but SMS is vulnerable to SIM swapping and SS7 network interception — known weaknesses that Reddit unfortunately experienced.

The Attack

The attacker intercepted SMS messages sent to Reddit employees' phones — likely via SIM swapping with the employees' mobile carriers. With both the employees' passwords (possibly obtained through other means) and the intercepted SMS codes, the attacker accessed several Reddit employee accounts between June 14-18, 2018. The compromised accounts had read access to Reddit source code, internal logs, configuration files, employee workspace documents, an old database backup from 2007 containing account credentials and email addresses, and email digests from 2018.

Response

Reddit disclosed the breach publicly — a notable choice of transparency for a major platform. The company rotated all production credentials and secured all services. Reddit began migrating all employee 2FA from SMS to hardware tokens. The 2007 database backup exposure prompted password resets for affected users.

Outcome

The breach compromised an estimated 100,000 users whose email addresses appeared in the 2018 digest exposure. The case was widely cited as a real-world example of SMS 2FA weakness, following years of security researchers warning about its vulnerability.

Key Takeaways

  1. SMS 2FA can be bypassed via SIM swapping or SS7 interception — migrate to TOTP apps or hardware security keys
  2. Employee accounts with access to source code and databases need the strongest available authentication
  3. Historical database backups must be encrypted and access-controlled — old data is still valuable to attackers
  4. Transparent breach disclosure by companies is good for the security ecosystem even when it is embarrassing
SMS MFASIM swappingSS7MFA bypassemployee accounts

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks