Some hackers are in it for the money, some for politics, and others for the lulz.
A hacker who’s spent the last two weeks hijacking Reddit moderator accounts and defacing their subreddit pages appears to be doing it partly to make a point about Reddit’s security, and also just because he can.
Around 70 or more subreddits have been defaced since 4 May – including /r/gameofthrones, /r/starwars, /r/pics, /r/books, /r/marvel, /r/robocraft and others.
The hacker, going by the Twitter handle BVM (@TehBVM), has apparently been altering the CSS of the subreddit pages to display variations of the message “Jacked by @TehBVM.”
https://twitter.com/Extradition_/status/729784040140775428?ref_src=twsrc%5Etfw
BVM, whose Twitter profile says he offers a “cheap hacking service,” claims to have used credentials stolen from moderators to take over their accounts and alter their subreddit pages.
@Etkar2008 @TechnologyKing6 I hack the owners account. Then take over the reddit untile he contacts reddit and gets it back.
— BVM (@TehBVM) May 6, 2016
The hacker won’t say how he’s getting the moderator logins – some have theorized it’s phishing, brute forcing of passwords, or using leaked passwords obtained somewhere else (BVM says on Twitter that it “wasn’t brute force“).
However BVM is getting them, a password is all that’s needed to take over an account.
Reddit doesn’t support two-factor authentication (2FA), which provides an extra layer of security to user accounts by requiring a one-time code to complete the login process.
Most of the big social media websites support 2FA, including Facebook, Twitter and Instagram (Instagram only just added 2FA in February 2016).
BVM had unkind words for Reddit’s security, telling Motherboard that “if Reddit would simply add 2FA it would be a lot harder to get in.”
Although it’s possible some moderators used weak passwords, or re-used passwords from other websites that may have been leaked, one of the moderators who was hacked claims to have used a unique, randomly generated password.
Reddit has been quick to detect the defaced pages, restoring them within a matter of minutes.
Damn, the admins must have a different way of finding out as r/books came back way too fast. . Maybe they flagged my css.
— BVM (@TehBVM) May 10, 2016
Reddit has also been freezing the hijacked moderator accounts and forcing password resets.
Reddit is stepping up their shit because of me https://t.co/CmbAPOX2j0
— BVM (@TehBVM) May 6, 2016
This is not the first time moderators have been hacked and subreddits defaced.
Moderator alienth posted two years ago that moderators were being targeted for account break-ins, after several big subreddits were defaced.
Reddit was already “looking into” adding “some form of multi-factor authentication” back in March 2014, alienth claimed.
So, how about it, Reddit?
M Thibault
As much as I don’t support this kind of hacking, I have to admit, it’s a little amusing, and really underlines the necessity of 2FA. For heaven’s sake, just do it already!
wkitty42
these places that do 2FA need to allow for folks to use it that do not have one of those damned smartphones… my phone is a phone… no text, no internet… just plain old voice calls as they should be… allowing 2FA via email instead of limiting it to txt messages would be helpful…
bantageek
Guess they don’t care….Still haven’t done it.
gaijinhunter
Get your facts right kid, twitter DOESN’T support 2FA. 2FA via SMS should not classify as 2FA as it has been shown to be flawed. A service that only offers SMS as 2FA and claims to offer 2FA is fraudulent.
EhNon Amoose
Twitter does offer OTP but only via the Official Twitter app(on Android/iOS).