Skip to content
Naked Security Naked Security

Reddit doesn’t support 2FA – a hacker just proved why it should

Someone hacked Reddit moderator accounts to deface around 70 subreddit pages. Maybe it's time Reddit added two-factor authentication.

Some hackers are in it for the money, some for politics, and others for the lulz.

A hacker who’s spent the last two weeks hijacking Reddit moderator accounts and defacing their subreddit pages appears to be doing it partly to make a point about Reddit’s security, and also just because he can.

Around 70 or more subreddits have been defaced since 4 May – including /r/gameofthrones, /r/starwars, /r/pics, /r/books, /r/marvel, /r/robocraft and others.

The hacker, going by the Twitter handle BVM (@TehBVM), has apparently been altering the CSS of the subreddit pages to display variations of the message “Jacked by @TehBVM.”

BVM, whose Twitter profile says he offers a “cheap hacking service,” claims to have used credentials stolen from moderators to take over their accounts and alter their subreddit pages.

The hacker won’t say how he’s getting the moderator logins – some have theorized it’s phishing, brute forcing of passwords, or using leaked passwords obtained somewhere else (BVM says on Twitter that it “wasn’t brute force“).

However BVM is getting them, a password is all that’s needed to take over an account.

Reddit doesn’t support two-factor authentication (2FA), which provides an extra layer of security to user accounts by requiring a one-time code to complete the login process.

Most of the big social media websites support 2FA, including Facebook, Twitter and Instagram (Instagram only just added 2FA in February 2016).

BVM had unkind words for Reddit’s security, telling Motherboard that “if Reddit would simply add 2FA it would be a lot harder to get in.”

Although it’s possible some moderators used weak passwords, or re-used passwords from other websites that may have been leaked, one of the moderators who was hacked claims to have used a unique, randomly generated password.

Reddit has been quick to detect the defaced pages, restoring them within a matter of minutes.

Reddit has also been freezing the hijacked moderator accounts and forcing password resets.

This is not the first time moderators have been hacked and subreddits defaced.

Moderator alienth posted two years ago that moderators were being targeted for account break-ins, after several big subreddits were defaced.

Reddit was already “looking into” adding “some form of multi-factor authentication” back in March 2014, alienth claimed.

So, how about it, Reddit?


(Audio player not working? Download MP3 or listen on Soundcloud.)


As much as I don’t support this kind of hacking, I have to admit, it’s a little amusing, and really underlines the necessity of 2FA. For heaven’s sake, just do it already!


these places that do 2FA need to allow for folks to use it that do not have one of those damned smartphones… my phone is a phone… no text, no internet… just plain old voice calls as they should be… allowing 2FA via email instead of limiting it to txt messages would be helpful…


Get your facts right kid, twitter DOESN’T support 2FA. 2FA via SMS should not classify as 2FA as it has been shown to be flawed. A service that only offers SMS as 2FA and claims to offer 2FA is fraudulent.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!