A Friday Reddit post by u/gooeyblob confirmed the vector of attack used to rob users of Bitcoin Cash funds tied to their accounts. Just days ago, posts complaining of missing Bitcoin Cash funds began surfacing in the r/btc subreddit, as victims noticed that their Tippr balances were emptied following emails of account password changes. Tippr, a popular bot used in Reddit’s cryptocommunities, allows users to tip other users in Bitcoin Cash for posts, comments, and content they appreciate, a practice similar to gifting Reddit Gold.
In the post on r/bugs, moderator gooeyblob indicated that the attack was carried out through Mailgun, a third party software provider. Reddit uses Mailgun to process platform-wide email services like password resets.
As such, the “malicious actor targeted Mailgun and gained access to Reddit’s password reset emails,” the post explains. “The nature of the exploit meant that an unauthorized person was able to access the contents of the reset email,” thus allowing the individual to breach user accounts to withdraw their Bitcoin Cash balances. The admin continues to reassure users that the “individual did not have access to either Reddit’s systems or to a redditor’s email account.”
In response to these events, the Reddit team has moved reset emails to internal servers for precautionary purposes.
Currently, Reddit is working with Mailgun to make sure that both parties have identified all affected accounts. So far, they have confirmed that less than 20 accounts have been impacted by the breach, and they have assisted these individuals with account recovery.
In a separate but related blog post, Mailgun revealed its own findings from the case. According to Josh Odom, the post’s author, “[on] January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact.”
Odom admits that “the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user.” Upon identifying the vulnerable entryway, Mailgun immediately shut off this access point for the unauthorized user.
As the post goes on, Odom continues to write that Mailgun has completed its diagnostic, finding that less than 1% of its users were affected. If an account was compromised, the Mailgun team notified the affected party of the breach.
Finally, the post concludes with the promise that Mailgun is “engaging with a third-party security team to complete an additional audit of this incident to validate our findings.”
Featured image from Shutterstock.