Continuing the story from the 31st of December, Reddit has stated that its mail provider, mailgun, had been compromised. Citing reports of completed password resets that account owners did not request. Reddit also stated that it has moved the password reset facility to an in-house server. The attackers gained access to the content of password reset emails, allowing them to reset passwords for any Reddit account. Mailgun’s blog stated that the attack occurred via a compromised employee account, allowing the attackers to gain access to mailgun customer’s API keys.
Accounts that have Two-Factor authentication enabled are not vulnerable to password reset attacks. Since an attacker must acquire the single-use code to change the password. KeyserSosa, a Reddit admin, stated “We paused final roll out because of the holidays since it’s not a small change and wanted full coverage before final testing on everyone.“ when asked on the status of 2FA roll out to all users. Once full rollout is complete, you will no longer need to be a moderator to use 2FA on Reddit
Protecting your accounts from attacks
This attack shows how far an attacker is willing to go if they believe they can gain from your account. Remember to never publicly flaunt or share how much of a given cryptocurrency you own, always use secure and unique passwords, never reuse passwords, and enable Two-Factor authentication if you can.