Reddit disclosed the results of an internal investigation into a hack of its platform, saying a hacker was able to get into its third-party password reset system.
According to a report in The Next Web, Reddit said that while the hacker was able to get access to the password recovery emails that are sent out by Mailgun, its third-party software vendor, it said the hacker didn’t have access to Reddit’s systems or to any Redditors' email accounts. Reddit noted it is working with Mailgun to pinpoint all the accounts that were impacted.
“On 12/31, Reddit received several reports regarding password reset emails that were initiated and completed without the account owners’ requests,” a post on Reddit read. “We have been working to investigate the issue and coordinating with Mailgun, a third-party vendor we’ve been using to send some of our account emails, including password reset emails. A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails.”
The report noted that as soon as Mailgun alerted them to the breach, Reddit moved all of its password reset emails to a server that is located on their premises. “We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again,” Reddit said in the message.
Mailgun also released a statement to alert users that its API key was hacked, saying it took immediate action to determine the cause and impact of the breach. “On January 3, 2018, Mailgun became aware of an incident in which a customer’s API key was compromised and immediately began diagnostics to help determine the cause and the scope of impact," said Mailgun's CTO, Josh Odom, in a blog post. "At that point in time, we were able to determine that the root cause was due to a Mailgun employee’s account being compromised by an unauthorized user. We immediately closed the point of access to the unauthorized user and deployed additional technical safeguards to further protect this sensitive portion of our application."