Two-Factor Authentication Bypassed in Reddit Breach

Last updated on April 19th, 2024 at 02:35 am

A key on a phishing hook, laying on a keyboard.
ID 199685976 © Yevheniikaz |

Online discussion forum Reddit reported on Thursday that its systems had been breached following a sophisticated phishing attack.

In the breach notification, Reddit CTO Christopher Slowe, aka KeyserSosa, explained that the hacker “sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of [Reddit’s] intranet gateway, in an attempt to steal credentials and second-factor tokens.”

One Reddit employee fell for the scam, despite having two-factor authentication (2FA) enabled. This was enough to give the hacker “access to some internal docs, code, as well as some internal dashboards and business systems,” Slowe said. Contact details for employees and contractors, as well as certain information about advertisers, were also affected.

Fortunately, the employee who fell for the phishing email realized their mistake soon after the attack and reported what happened to Reddit’s security team, allowing them to oust the hacker from their network quickly. 

According to Slowe, user data, like passwords, appears to be unaffected by the breach: “We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).” However, he reminded Redditors that they can better protect their accounts by turning on 2FA and using a password manager.

Set up two-factor authentication
Great! Now let's get started...
Step 1: Visit the App Store to get an authenticator app like Google Authenticator or Authy, then follow the app's instructions to set up an account with them.
Step 2: Use your authenticator app to scan the barcode below or get a token to enter manually instead
Reddit currently only supports authenticator based 2FA which, while a massive improvement over SMS-based 2FA, is still vulnerable to phishing.

Unfortunately, as some users noted, Reddit does not currently support security keys as a 2FA method, even though they offer the strongest protection against phishing attacks. Perhaps going forward, Reddit will make this option available for its users and mandatory for its employees. Doing so will better protect users, and Reddit itself, from inevitable future attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *