Cyber Incident Victim: Reddit

On December 31, 2017, Reddit received multiple user reports of unauthorized password reset emails being initiated and completed without account owner consent. The company launched an investigation and coordinated with Mailgun, a third-party email provider responsible for sending Reddit’s account-related communications, including password reset emails. Reddit determined that a malicious actor had compromised Mailgun’s systems, gaining access to Reddit’s password reset email functionality. This allowed attackers to hijack Reddit accounts by intercepting or manipulating password reset processes. Several affected users reported unauthorized access to their cryptocurrency accounts linked to Reddit profiles, specifically noting drained Bitcoin Cash tip wallets. Reddit emphasized that its internal systems remained uncompromised and that attackers did not access user email accounts directly. The company initially confirmed fewer than 20 impacted users but acknowledged broader user frustration over the incident.

Mailgun disclosed on January 3, 2018, that it had identified the breach vector as a compromised employee email account, which enabled unauthorized access to a customer API key—later confirmed to belong to Reddit. The vendor immediately revoked the attacker’s access, deployed technical safeguards to secure the affected application component, and stated the incident impacted fewer than 1% of its total customer base. Reddit implemented additional controls to prevent recurrence but did not specify these measures publicly. Both organizations maintained that the attack’s scope was limited, with Mailgun attributing no further customer compromises beyond Reddit’s case. The breach highlighted risks associated with third-party email service dependencies, particularly regarding credential resets and integrated financial functionalities like cryptocurrency tipping.