Reddit 2018 Breach: Attacker Bypasses SMS-Based 2FA, Exfiltrates 2007 Database Backup

Reddit disclosed on August 1, 2018 that an attacker had compromised several employee accounts between June 14 and June 18, 2018, after Reddit discovered the intrusion on June 19. Although the affected staff accounts were protected by two-factor authentication, the attacker performed an SMS-intercept attack against the employees' phone numbers, capturing the one-time codes. Reddit conceded that 'SMS-based authentication is not nearly as secure as we would hope' and urged a move to token-based 2FA — a point amplified by security press who used the incident to illustrate the structural weaknesses of SMS as a second factor.

The most sensitive exposure was a complete May 2007 database backup the attacker downloaded with read access. It held account credentials (usernames plus salted, hashed passwords), email addresses, and all content — mostly public posts but also private messages — for users active from the site's 2005 launch through May 2007. The attacker also obtained Reddit source code, internal files and configurations, and a set of more recent (June 2018) email-digest logs that paired then-current usernames with the email addresses they were sent to.

Reddit notified affected users, initiated password resets for accounts whose 2007 credentials may have still been in use, and reported the incident to law enforcement. The breach became a widely cited case study in the limits of SMS 2FA for both consumer and enterprise accounts.