Another week, another high-profile hack. This week it was (checks notes) Reddit. What makes this one marginally more interesting is that the victims were using two-factor authentication, i.e. SMS codes texted to them to verify their identities when their accounts were accessed — which turned out to be little more than a speed bump for the attackers.
This surprised exactly zero (good) security people. It has long been known that your phone service can be hacked either via SS7, the ancient and insecure system used to interconnect the planet’s phone networks, or by the more old-fashioned but even more effective method of walking into a store and talking a callow undertrained clerk into transferring your number to the attacker’s phone. Phone companies are trying to remediate both of these attack vectors, but you can’t trust them to protect you; not yet, and possibly not ever.