Enlarge (credit: Misaochan)

A newly disclosed breach that stole password data and private messages is teaching Reddit officials a lesson that security professionals have known for years: two-factor authentication (2FA) that uses SMS or phone calls is only slightly better than no 2FA at all.

In a post published Wednesday, Reddit said an attacker breached several employee accounts in mid-June. The attacker then accessed a complete copy of backup data spanning from the site’s launch in 2005 to May 2007. The data included cryptographically salted and hashed password data from that period, along with corresponding user names, email addresses, and all user content, including private messages. The attacker also obtained email digests that were sent between June 3 and June 17 of this year. Those digests included usernames and their associated email address, along with Reddit-suggested posts from safe-for-work subreddits users were subscribed to.

Wednesday’s post said that the breached employee accounts were protected by 2FA, which typically requires people to take an extra step beyond entering a password when accessing an account from a new computer. In most cases, the extra step is the entering of a one-time password (OTP) that’s sent to or generated by a mobile phone. More secure yet, the 2FA is in the form of a cryptographic token sent by a security key attached to a device logging in. The 2FA protecting the Reddit accounts, however, relied on OTPs sent through SMS messages, despite reports over the years (such as this one) that make it amply clear they are susceptible to interception.