In what appears to be a massive coordinated strike against Reddit, hackers took over dozens of pages on Friday afternoon, using their access to plaster pro-Donald Trump imagery across subreddits with huge followings.
Coming just over three weeks after hackers used access to high-profile Twitter accounts to tweet a bitcoin scam, the wave of Reddit compromises has a similarly eye-popping reach. Reddit communities with well over a million members—including r/space, r/food, and r/NFL—were all defaced with Make America Great Again campaign banners and other pro-Trump signage.
Sometime on Friday morning, hackers began breaking into the accounts of the moderators of dozens of subreddits, ranging from the popular channels cited above to more niche fare like r/beerporn. They used that access not only to splash the pro-Trump imagery all over the page, but in many cases posted a MAGA missive from the moderator’s account with the subject “We Stand With Donald Trump #MIGA2020.”
“We on behalf of the American people want to implore and strongly encourage you all to vote Trump in the 2020 elections of the USA of America,” read one such message, posted to the college-football-focused r/cfb. The post goes on to call the novel coronavirus a “hoax,” loosely compares Trump to Batman, and ends with a list of “Ten Things Democrats Did Wrong,” which includes “Nice people are hated by the Democrats” as a bullet point. In the case of r/cfb, the hackers also set the community to private, leaving only an emoji-strewn pro-Trump message on the landing page for those locked out.
“An investigation is underway related to a series of vandalized communities,” said a Reddit spokesperson. “It appears the source of the attacks were compromised moderator accounts. We are working to lock down those accounts and restore impacted communities.”
Hackers attempted to claim credit for the attacks on Twitter, saying, “We combined password stuffing and social engineering together to beat the teenage bitcoin cheater,” an apparent reference to alleged Twitter hack ringleader Graham Ivan Clark, who was arrested last week. Credential stuffing is when attackers use previously leaked passwords to break into accounts made by the same email address, taking advantage of the common human tendency to reuse passwords. Social engineering is a catch-all for ways to trick people into giving you information that helps break into their account or someone else’s; it’s at the heart of many so-called SIM-swap attacks that help hackers get around two-factor authentication.
Claims of hacking credit on Twitter should be taken with hefty boulders of salt, but some combination of password reuse and SIM-swapping could certainly be at the heart of the Reddit hacks. Since the takeovers occurred, Reddit users have been scrambling to figure out what happened, and to protect their own accounts. A post published Friday afternoon by a Reddit community moderator warns people to look for unexpected password reset emails and encourages mods to change their passwords. A post on r/SubredditDrama includes a “Guide to unfucking your subbreddit” that initially led off with “#ENABLE TWO-FACTOR AUTHENTICATION” but was edited to say that some accounts were compromised even with two-factor in place.
There’s also the possibility, as in the case of the Twitter hacks, that attackers gained access to Reddit’s internal tools. That would help explain the huge scope of the problem and how the attackers were able to move so quickly across the platform.
At least 70 subreddits experienced issues. Many of the subreddits were restored by later in the afternoon, but some victims, including r/GreatBritishBakeOff and r/buffy, remained MAGAtized.