In order to avoid birthday attacks on message authentication schemes, it has been suggested that one add randomness to the scheme. One must be careful about how randomness is added, however. This paper shows that prefixing randomness to a message before running the message through an iterated MAC leads to an attack that takes only O 2(l+r)/3 + max{2l/2 , 2r/2 } queries to break, where l is the size of the MAC iteration output and r is the size of the prefixed randomness.