Reddit has confirmed that one of its email providers, Mailgun, has been breached, resulting in the hacks of user profiles and their linked cryptocurrency accounts.
Attackers infiltrated Reddit accounts using password reset emails sent via the third-party vendor. Several Redditors also reported that their Bitcoin Cash tip accounts had been emptied out.
Despite the alarming details, Reddit urged the public to maintain perspective, noting that the attackers “did not have access to either Reddit’s systems or to a Redditor’s email account,” adding that the number of confirmed impacted users is less than 20 so far.
“On 12/31, Reddit received several reports regarding password reset emails that were initiated and completed without the account owners’ requests,” Reddit explained in a post. “We have been working to investigate the issue and coordinating with Mailgun, a third-party vendor we’ve been using to send some of our account emails including password reset emails,” it continued. “A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails….We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again.”
Mailgun, for its part, said that it has identified the attack vector—an employee’s compromised email account—and has patched the issue.
“On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact,” Mailgun CTO Josh Odom wrote in a post. “We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application.”
He added that the attack affected less than 1% of Mailgun’s entire customer base.