Reddit hacked, urges users to turn on token-based 2FA

Originally published at:


Meanwhile, security at the Mos Eisley Cantina proved vulnerable to suggestive strangers.


Back when I tured on 2FA for Reddit, you had to be an admin (i.e. start a subreddit) to turn it on… is this still the case? should we expect a flood of useless subreddits now?

Reddit hacked, urges users to turn in their phone numbers.


I wonder if it takes nation/governmental level resources to intercept SMS ?

Interesting how evil hackers always seem to find the previously unrealized/assumed-safe weak points in a system.

Well that’s the good thing about reddit, mostly anonymous if you are wise enough to have multiple email addresses and aliases instead of say being trained by Facebook over the years to use your real name and all other personal information, location, etc. which can never, ever be undone and haunt you for the rest of your life if you unwittingly accept their demand for them early on.

we learned that SMS-based authentication is not nearly as secure as we would hope

Many of us have been shouting that for years. I tend to prefer yubikey hardware keys.

Also as I pull a Donald Trump here: “Reddit hackers, if you’re listening, I hope you’re able to delete /r/the_donald.”


I don’t think so. There is off the shelf hardware that will create a micro-cell and then let you say “such and such phone number is attached to my cell, please route their calls/etc to me”

I mean I think we’re talking about a device that is in the tens of thousands of dollars, but I don’t think you have to be a state actor to get one. (I am having trouble finding references to these devices but I remember reading about them last year)

Not even close. My mobile provider uses an outside company to handle their SMS gateway. That outside company routinely traps / probes SMS messages I send through the gateway. I know they’re doing it because I’ve included “test links” (URLs that only exist in the SMS messages) and, shortly after sending a message, a bot comes knocking.

Unless the message is encrypted (and signed) assume all companies that touch the message are fiddling with the message.


For all the messages that are talking about SMS, I just set up 2FA for Reddit now and they suggested (as I already use for other things like Dropbox and Evernote) that I use Google Authenticator rather than SMS, so that isn’t really an issue here.

Probably, but how could one tell the difference?

An awful lot of work to prove user stonetear is who you allege.

It takes a call to your phone company to get them to port your number to a new phone. People like to think hacking is highly technical, but more often than not it’s just pretending to be a confused old person to a clueless tech support person.


Reports are generally “no”. SS7 has largely been a success story from the perspective of interoperability; but its security model is pretty much faith based.

Reports vary on exactly how low the price of entry is; but (while nation states can probably safely be assumed to be collecting all of them, just in the spirit of the occasion) you do not need to be particularly sophisticated, deep pocketed, or officially connected to play.

Using social engineering to just have the Telco port the target number to your SIM is crude, manual, and not wholly reliable; but it’s even easier to try.

No one actually uses any real information there do they?

Don’t tell me, clear text passwords?!?!?

Insufficiently salted hashed passwords!!!

This topic was automatically closed after 5 days. New replies are no longer allowed.