Following a brigade of spooked Redditors reporting hacked accounts and missing Bitcoin Cash tips, Reddit has now revealed the results of its internal investigation – and it doesn’t look good. A hacker purportedly breached the platform’s third-party password reset system, forcing access to the accounts of multiple victims.
While the malicious agent was able to access the password recovery emails distributed by Reddit’s third-party software provider, Mailgun, the individual “did not have access to either Reddit’s systems or to a redditor’s email account,” according to site administrator gooeyblob.
Reddit says it is working with Mailgun to identify all affected accounts, adding that the overall number of confirmed impacted users is currently less than 20.
“On 12/31, Reddit received several reports regarding password reset emails that were initiated and completed without the account owners’ requests,” the post read.
“We have been working to investigate the issue and coordinating with Mailgun, a third-party vendor we’ve been using to send some of our account emails including password reset emails,” it continued. “A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails.”
The Reddit admin claims its technical team has since taken precautionary measures, moving all reset emails to an in-house mail server as soon as they were notified by Mailgun about the security threat.
“We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again,” gooeyblob added.
Mailgun has similarly issued a statement on the matter, warning that its API key was compromised. Its team has since been able to identify the source of the attack and patch the flaw.
“On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact,” Mailgun CTO Josh Odom wrote. “At that point in time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user.”
“We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application.”
According to Odom, the attack affected less than one percent of Mailgun’s entire customer base.
So down go the insider job conspiracies: as is often the case, we can chalk up the hacked accounts and the missing Bitcoin Cash tips to yet another poorly secured third-party app.
Published January 5, 2018 — 16:29 UTC