29
votes
Reddit moderator accounts compromised in coordinated hack, hundreds of subreddits vandalized
Link information
This data is scraped automatically and may be incorrect.
- Title
- Ongoing incident with compromised mod accounts
- Authors
- woodpaneled
- Word count
- 405 words
I'm one of the full mods on r/science. Thankfully we weren't hit hard at all since we require anyone with access to the CSS and other subreddit settings to have 2FA enabled. For real, use 2FA if you don't have it enabled
Edit: Without going into details, we were affected by an account in the very early stages of the attack. We acted quickly and demodded the affected account. At the time we weren't aware it was part of a coordinated attack, but later found out that it was. Thankfully since we use the principle of least privilege and require 2FA on any accounts with elevated permissions beyond comment mod, the damage the hacked account could actually do was 1)extremely limited, 2)easily corrected. That's why I said we weren't hit hard at all, rather than we weren't affected.
How do you verify that people actually have 2FA on?
If there were a good check for this, it's something every subreddit (or reddit itself) should do
As moderators, rather than admins, we can't verify it through the site, but we keep the number of people with those privileges small and make each of them attest to using 2FA.
But yeah, we were talking about how we would love the ability to require it for any mods.
Even just a github/gitlab style page that shows who on the team has 2FA enabled would be great. Whenever you join a group, you’re presented with a disclaimer saying “hey, owners can see your 2fa status” and a badge shows next to your account in the list.
Ars Technica published an article about this, with some screenshots and further details, including a (now-suspended) Twitter account claiming responsibility: Mass hijacking spree takes over subreddits to promote Donald Trump
Earlier today reports started coming in across many different subreddits that moderator accounts were getting hacked and were vandalizing subreddits with pro-Trump content. I never actually saw the vandalized subreddits myself, but that's what many people are saying, so at the moment I believe it.
There were claims that some of the compromised accounts had 2FA enabled, which was causing some worries and speculation among folks I know. But the admins have since verified that none of the compromised accounts had 2FA enabled at the time
More details are still coming out, but for now the admins are working to undo the damage.
I don't know if it's just a coincidence, but I think they were trying my account without any success. Yesterday afternoon my account was suddenly suspended until I reset my password.
I don't know why anybody who mods a sub (especially one of the big ones) wouldn't already have their account locked down with 2FA. This sort of thing isn't new.
With any luck, 2FA will be mandatory for all mods in the very near future.
Does 2FA still require a phone number? That's the only thing preventing me from enabling it, I don't trust them with my phone number, and even if I did data breaches can and will happen. I always enable 2FA when it's TOTP or similar + a paper backup.
yeah, its TOTP + paper. I don't even want my family to have my phone number, let alone reddit :)
I use the Google Authenticator app. I don't think it required me to give my phone number, but I don't remember
I use Aegis, I wasn't talking about the app, some websites require phone numbers to allow you to enable 2FA. I don't remember if reddit requires one but the other reply confirms it doesn't so it's all good.
You really think Reddit is selling phone numbers?
Twitter did. They took the phone numbers provided to them for 2FA and sold them for advertising purposes.
Selling? No, I doubt that. But even if they don't you still have to trust they secure their database, their backups and that no employee with authorized access does something bad (there's a history of this last thing on reddit).
I bet it was the barrage of emojis that changed your mind. Those are hard to resist. It's just science.
This was first announced on SRD, hours before the official admin post. This comment, that didn't get much traction, indicates that, in the poster's case, a malicious app was the culprit, possibly installed through a phishing scheme involving reddit's chat feature.
A response that got even less visibility claims that the redditisfun app is able to bypass 2FA when switching accounts.
I cannot verify any of this, and it's sort of suspect that no other mods publicly posted anything similar.
There was a lot of speculation about bypassing 2FA, but the admins are claiming all of the accounts that were compromised didn't have it enabled.
The top comment is a request from an admin for people to list all the subs affected.