Continuing the story from the 31st of December, Reddit has stated that its mail provider, mailgun, had been compromised. Citing reports of completed password resets that account owners did not request. Reddit also stated that it has moved the password reset facility to an in-house server. The attackers gained access to the content of password reset emails, allowing them to reset passwords for any Reddit account. Mailgun’s blog stated that the attack occurred via a compromised employee account, allowing the attackers to gain access to mailgun customer’s API keys.
Accounts that have Two-Factor authentication enabled are not vulnerable to password reset attacks. Since an attacker must acquire the single-use code to change the password. KeyserSosa, a Reddit admin, stated “We paused final roll out because of the holidays since it’s not a small change and wanted full coverage before final testing on everyone.“ when asked on the status of 2FA roll out to all users. Once full rollout is complete, you will no longer need to be a moderator to use 2FA on Reddit
Protecting your accounts from attacks
This attack shows how far an attacker is willing to go if they believe they can gain from your account. Remember to never publicly flaunt or share how much of a given cryptocurrency you own, always use secure and unique passwords, never reuse passwords, and enable Two-Factor authentication if you can.
If you use Reddit, you may know that tip bots such as /u/tippr allow you to tip fellow redditors, in /u/tippr’s case, with BCH. Another Reddit bot has recently been discovered that attempts to gain access to Reddit accounts that have sent tips, and if successful, transfer out any balance the account may have with tip bots to the bitcoin cash address: 1Dn1uint1pMTrNXGyE3hQzyL6FJ8jpS1SD. Here are the methods with which you can secure your Reddit account against attackers. Obviously, protecting your Tippr BCH tips is only one benefit of having a secure Reddit password.
Use a secure Reddit password
Image from XKCD
Secure passwords will always help improve security. When choosing a password, length is better than most other security practices. Otherwise, make sure that you do not use birthdays or things linked to you personally.
Use two-factor authentication on your account
Two-factor authentication means that when trying to log into your account, you are required to input a randomly generated, one-time use code alongside their password, this is accomplished using any two-factor authentication application that supports Time-based One-Time Password Protocol, the Android and iOS apps Authy and Google Authenticator are recommended. You can read the full two-factor authentication setup guide here and there is a short explanation of enabling two-factor authentication below.
Enabling two-factor authentication requires you to be a subreddit moderator. You can become a subreddit moderator by creating your own subreddit. If you are a subreddit moderator you can find the option to enable 2FA on your preferences page. Reddit will ask you to confirm your email and password during the process of enabling two-factor authentication.
Featured image from Wikipedia