2023 Breach Lesson: Real-Time Phishing Proxies Defeat Standard MFA

Security analysts highlighted that Reddit's February 2023 breach succeeded even though the phished employee had multi-factor authentication enabled, which Reddit makes mandatory. The attacker's cloned intranet page acted as a real-time proxy, capturing both the password and the one-time second-factor token and relaying them to Reddit's real login before the code expired. This 'adversary-in-the-middle' technique, related to MFA-fatigue and reverse-proxy phishing kits, shows that knowledge-based and time-based MFA can be defeated by sufficiently convincing phishing. Commentators argued the case strengthens the argument for phishing-resistant, hardware-bound authentication such as FIDO2/WebAuthn. The breach became a widely cited example of MFA's limits against targeted social engineering.