A hacker compromised several Reddit accounts to prove it needs 2FA

A mysterious hacker is responsible for a mass Reddit defacement of 70 subreddits, he wants to demonstrate the lack of security of the popular platform.

Someone is creating the panic on Reddits, a mysterious user behind the name TehBVM (@TehBVM) claims to have already popped more than 100 Reddit subreddits. The user already targeted subreddits related to Battlefield One game, Marvel Studios, Star Wars, How to Hack, and Game of Thrones, he also defaced popular subreddits like TIFU (today I f**ked up).

The hacker spent the last weeks hijacking Reddit moderator accounts and defacing their subreddit pages, changing cover images and CSS.

Which is the motivation behind the defacements?

Apparently, TehBVM is doing it partly to demonstrate the lack of security posture of Reddit, the hacker hasn’t disclosed personal information belonging to the Reddit users.

“Around 70 or more subreddits have been defaced since 4 May – including /r/gameofthrones,/r/starwars, /r/pics, /r/books, /r/marvel, /r/robocraft and others.”

TehBVM did not explain how he compromised the Reddit accounts the unique certainly seems to be that he hasn’t launched a brute force attack against the platform. It is likely that the hacker is using login credentials related to other data breaches with the hope that users have shared it among multiple online services.

Clearly this kind of incidents could be simply avoided by introducing a two-factor authentication mechanism.

Reddit has already planned the introduction of the 2FA feature, but it is still to develop a beta.

The lack of a strong authentication method was already exploited in the past by hackers, in 2013 other subreddits have been popped in similar circumstances.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Reddit, hacking)