Another day, another wild mystery in the world of crypto. Reddit has confirmed it is investigating a possible internal security threat after several members of the Bitcoin Cash BCH subreddit – more commonly known as /r/BTC – reported their accounts were purportedly hacked and emptied out of their funds.
While the initial string of suspicions breaches allegedly began in December, several more Redditors noted that their accounts were compromised three days ago. According to multiple reports, victims began aware of the security threat when they received emails that the password for their Reddit accounts had been changed.
Shortly after that, affected users noticed the balance on their Tippr accounts – a popular donation software designed to facilitate Bitcoin Cash tips between Redditors – had been withdrawn without their consent.
Following the second round of breaches, a post on Hacker Noon documented the unusual activity, speculating there is a high chance the hackings were conducted with the help of Reddit employees. For what is worth, it is important to point out that the post offers no substantial evidence to back up these claims.
Still, the accusation prompted Reddit administrator gooeyblob to respond to the claims, saying their team is looking into the situation.
“Thanks for reporting – we’re not ignoring,” gooeyblob said. “[T]his was reported privately via security at reddit.com [sic] and we’ve been investigating.”
Among other things, the Hacker Noon piece insists the Reddit passwords of affected users were somehow changed without accessing their emails. This suggests whoever is behind the breach has figured out how to access the password recovery links (sent to the users’ respective email addresses) without actually compromising their emails.
“After ruling out all these scenarios, we can conclude that the hacker sends a password reset request to reddit [sic] on behalf of the victim and then uses the link Reddit generates to reset the password,” the post reads.
“Considering that the hacker couldn’t have learned the reset link neither by lurking into the victims’ emails (no malware involved, no emails compromised) nor by intercepting the Reddit emails,” it continues. “[T]here is only one other place where such information is contained and can be accessed: Reddit’s outbound emails.”
What makes the matter even more bizarre is that the post also seems to be ruling out a malware attack. This leads the author to conclude the following:
Either someone with access to Reddit’s database has been hacked and is not aware that his credentials are being used to hack users’ accounts.
Or a Reddit employee is directly involved in this and is breaking the law by using his access privileges to engage in turf wars.
We have contacted Reddit for further comment and will update this piece should we hear back.
For background, the Bitcoin Cash subreddit was briefly hacked to link to its rival Bitcoin subreddit (/r/Bitcoin) following the initial hacking.
— TheCoinMan (@CoinHodler) December 20, 2017
While the two channels have had several run-ins over which cryptocurrency is best, there is nothing to suggest that a member of the Bitcoin subreddit is behind the attack.
While it is indeed possible someone has found a gaping hole in Reddit’s security, one thing to keep in mind is that the majority of breaches originate from third-party apps. Given that most affected users appear to be Tippr donation receivers, it wouldn’t be all that surprising if this is the case here too.
Clarification: Please note that we are not in any capacity suggesting that Tippr is the exact source of the breach, but merely pointing out that the majority of such attacks come from security flaws in third-party apps.
Published January 4, 2018 — 12:48 UTC