Reddit admits its email provider was hacked to steal Bitcoin Cash tips


Following a brigade of spooked Redditors reporting hacked accounts and missing Bitcoin Cash tips, Reddit has now revealed the results of its internal investigation – and it doesn’t look good. A hacker allegedly breached the platform’s third-party password reset system, forcing access to multiple victims’ accounts.

While the malicious agent was able to gain access to password recovery emails distributed by Reddit’s third-party software provider Mailgun, the individual “had access to neither Reddit’s systems nor a redditor’s email account,” according to site administrator gooeyblob.

Reddit says it is working with Mailgun to identify all affected accounts, adding that the total number of confirmed impacted users is currently less than 20.

Does your fintech have global ambitions?

Before considering an expansion, check out our handy checklist

On 12/31, Reddit received multiple reports of password reset emails being initiated and completed without requests from account owners,” the post read.

“We have been working to investigate the issue and have coordinated with Mailgun, a third-party provider that we have used to send some of our account emails, including password reset emails,” said he continued. “A malicious actor targeted Mailgun and gained access to password reset emails from Reddit.”

The Reddit admin says his tech team has since taken precautionary measures, moving all reset emails to an internal mail server as soon as they were notified by Mailgun of the security threat.

We know this is frustrating as a user, and we’ve put additional controls in place to ensure this doesn’t happen again,” gooeyblob added.

Mailgun also released a statement about it, warning that its API key has been compromised. His team has since been able to identify the source of the attack and fix the flaw.

On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately ran diagnostics to help determine the cause and extent of the impact,” wrote Josh Odom, CTO of Mailgun. “At that time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user.”

We immediately shut down the access point to the unauthorized user and deployed additional technical safeguards to further protect this sensitive part of our application. »

According to Odom, the attack affected less than one percent of Mailgun’s entire customer base.

So get the insider conspiracies down: as is often the case, we can attribute the hacked accounts and missing Bitcoin Cash cheats to another poorly secured third-party app.


About Author

Comments are closed.