Recently, various redditors started reporting missing Bitcoin Cash (BCH) funds, as users noticed their Tippr balances were gone after receiving emails notifying them of password changes. Reddit conducted an internal investigation and found that a hacker managed to breach the platform’s third-party password reset system. This gave the hacker access to multiple victims’ BCH balances.
Tippr, a popular bot used in both Reddit and Twitter, allows users to reward one another in Bitcoin Cash. Rewards are usually given to those who post particularly insightful or entertaining comments.
According to site administrator gooeyblob, the hacker had access to the password recovery email the third-party service provider, Malugin, distributed. He reportedly didn’t have access to Reddit’s systems or any users’ email account. The administrator’s post reads:
“As an immediate precautionary measure, we moved reset emails to an in-house mail server soon after we determined reset links were indeed being clicked without access to the user’s email, and before Mailgun had confirmed to us that they were vulnerable. We know this is frustrating as a user, and we have put additional controls in place to help make sure it doesn’t happen again.”
Reddit added that it is working with Mailgunto identify all affected accounts. According to the company, the overall number of confirmed affected users is, so far, less than 20. Mailgun has issued a statement on the matter, informing users their API key was compromised.
Per Mailgun, the root cause of the hack was an employee’s account being compromised by an unauthorized user. The company added that it quickly “closed the point of access to the unauthorized user,” and deployed additional safeguards.
Speaking to Gizmodo, Tippr creator Rob Danielson revealed he believes the culprit was someone who “realized they had an opportunity to make a quick buck.” The total amount stolen was somewhere between $2,000 and $4,000, according to Danielson. After finding out about the breach, Danielson disabled Tippr’s Reddit functionality, in a bid to avoid further damage.
Previous attacks on r/btc users
Redditors on the r/btc community are usually BCH supporters, although it’s possible to find users neutral to the scaling debate. According to some, the Tippr incident may be part of an ongoing “war” between separate factions in the scaling debate.
On December 20, 2017 someone hacked the account of an r/btc moderator, and used his administrative privileges to reconfigure the subreddit. After he was done, the r/btc subreddit pointed users to r/bitcoin.
— Kyle Torpey (@kyletorpey) December 20, 2017