Reddit Hack tl;dr: SMS Two Factor Authentication Fails to Do Its Job

Four days ago, Reddit announced that hackers were able to steal a complete copy of an old database backup and logs containing email digests sent between June 3 and June 17.

The stolen database backup contains account credentials (usernames and cryptographically salted and hashed passwords), email addresses, and content (mostly public, but also private messages) dating from the site’s launch in 2005 through May 2007.

The logs contain the digest emails themselves, along with usernames and email addresses associated with them.

“Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again,” the official announcement post read.

Reddit source code, internal logs, configuration files, and other employee workspace files were also accessed, but the hackers did not gain write access to Reddit’s systems, meaning that they were unable to alter any Reddit information.

How Did It Happen?

The attackers had compromised employee accounts that were protected by SMS two-factor authentication, leading the company to believe that the hackers were able to intercept SMS messages for the purpose of the attack.

In addition to reporting the issue to law enforcement and alerting affected users, Reddit says that it also “took measures to guarantee that additional points of privileged access to Reddit’s systems are more secure.” That includes enhanced logging, more encryption, and requiring token-based two-factor authentication, or 2FA, “since we suspect weaknesses inherent to SMS-based 2FA to be the root cause of this incident.”

SMS vs Token based 2FA

With two-factor authentication enabled, users are required to input an additional piece of information alongside their password to be able to access their protected accounts. That extra information – typically a code – is shared with the users either via SMS, through an authenticator app (soft token), or as a physical device (physical token, typically inserted in a USB port).

Physical tokens are the safest option but are hardly convenient for everyday users. The most commonly used types of 2FA are SMS and App. So what are the pros and cons of each?


Authentication codes shared via SMS are convenient for users, as they don’t require downloading any apps or any setup. This also means that SMS 2FA will work on literally any mobile device, old or new, regardless of whether is it supported or not.

On the other hand, SMS 2FA can’t be used if a person isn’t connected to his or her mobile network – i.e. traveling without data roaming.

App 2FA

The codes are generated by the app itself, independent of the phone number, meaning that if someone hijacks your SIM card, your 2FA protected accounts will still be safe. This also means that authenticator apps will still work even if you don’t have any connection on your mobile.

But this comes with a drawback. When it comes to authenticator apps, codes are typically generated using a ‘seed’ – a base code so to speak – that is altered at regular intervals using a certain formula. The seed and formula are known to both the server and the app on your mobile device.

This allows the system to know if a code is valid at any given time without having to communicate with the app, meaning that there will be nothing to intercept in the first place. But the whole thing breaks down if someone is able to crack the app or server, which would allow them to predict the next code in sequence. SMS codes, by contrast, are randomly generated.