Reddit, Twitter and 2FA

On February 9, 2023, Reddit announced that it had become aware of a phishing campaign that successfully targeted its employees.

After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).

Among other things, Reddit recommended that users enable 2FA for their accounts. Reddit currently only supports TOTP 2FA, and to my knowledge, the company has never indicated how many of its users have ever enabled the security option on their accounts.

A 2021 transparency report from Twitter reported that only 2.3 percent of users had enabled any 2FA option on their accounts, and of those, 79.6 percent opted for SMS 2FA (which Reddit doesn’t support).

To its shame, Twitter, under Elon Musk, recently announced it would make SMS 2FA a premium feature. Twitter tried to make this change appear as if it were designed to help users,

While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. So starting today, we will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers. The availability of text message 2FA for Twitter Blue may vary by country and carrier.

If Twitter were eliminating SMS 2FA altogether, the line about SMS-based 2FA being used by bad actors might make sense. But turning around and making it available to its premium subscribers gives the game away.

On February 18, 2023, Elon Musk complained, “Twitter is getting scammed by phone companies for $60M/year of fake 2FA SMS messages.” For a company that reported $4.4 billion in revenue before Musk’s acquisition, that represented only about 1.5 percent of its revenues.

But Musk has proven uniquely capable of driving away revenue and turning Twitter’s precarious financial situation into outright desperation. Removing SMS 2FA from non-paying users–knowing full well that very few of those users will switch to a TOTP application–is precisely the sort of short-sighted thinking that has characterized the service since Musk’s acquisition.