Tuesday, August 11, 2020




Reddit hacked and defaced with pro-Trump messages in English and Chinese


BY DUNCAN RILEY 
 AUGUST 09 2020

Reddit Inc. is the latest company to be hacked, with some 70 groups on the site defaced with pro-Donald Trump messages.

The hack occurred on Friday and involved those behind the attack accessing accounts belonging to moderators of popular subreddits with millions of subscribers, including r/space, r/food, r/Japan, r/nfl, r/cfb and r/podcasts.

The messages posted by the hackers were pro-Trump in both English and simplified Chinese text. The Chinese text in one case (pictured) asked whether former president Barack Obama was a Kenyan, a reference to so-called “birther” conspiracy theories, along with a shout-out to YouTuber David Pakman.

How the accounts were compromised is unknown, but Reddit said it was investigating the incident. On a support thread, Reddit did note that the moderators of the compromised subreddits had not been using two-factor authentication on their accounts. The same thread also added that users should look for signs of a compromise, including an email notification that their password or email address on their account had been changed.

Still, the lack of two-factor authentication doesn’t explain how those behind the hack obtained passwords for the targeted accounts to begin with.

“Most of these popular subreddits are actually ran by volunteers, which makes it tough for Reddit to enforce certain security requirements as it currently stands,” Zack Allen, director of threat intelligence at cybersecurity company ZeroFOX Inc., told SiliconANGLE. “The accounts were probably compromised from a credential-stuffing attack (reused passwords from well-known breaches, like the ones from ShinyHunters and/or GnosticPlayers), phishing or a combination of both.”

Matthew Gardiner, principal security strategist at cloud cybersecurity firm Mimecast Ltd., noted that it’s becoming ever more clear that every participant in these social networks must also adopt the “zero-trust” model – that is, not assuming anything is true unless they can independently verify it.

“This Reddit hack and the recent Twitter hack were easy to discern as bogus, but what if the cybercriminals had been a bit more nefarious and a bit more believable?” Gardiner asked. “It is scary to think what actual damage they could do if they really tried.”


Image: Tim Pool/Twitter SCREENSAVE


No comments: