Ask HN: 10 年 Reddit 账号被黑,尽管启用了双因素认证
6 分•作者: guilamu•8 个月前
我的十年 Reddit 账号 (u/guilamu) 在 2025 年 10 月 2 日至 3 日的夜间被盗,尽管我采取了适当的安全措施:
* 已启用双因素身份验证,使用身份验证器应用程序
* 由 Firefox 密码管理器生成的唯一密码(从未使用过,本身也受到 2FA 保护)
* 定期活动监控
* 十年干净的历史记录,无任何违规问题
*账号统计:*
* 10 年账号
* 3,013 次贡献
* 185,224 karma(可能是 r/france 上最高的 karma 账号,我不是在炫耀,因为我根本不在乎 karma,只是想指出这不是一个随机的新账号)
* 十年内零违规或警告
*攻击时间线(CEST):*
* 10 月 2 日至 3 日夜间:账号被盗,攻击者发布了色情内容
* 10 月 3 日早上:发现被黑,立即更改密码,通过他们的联系表格警告了 Reddit
* 10 月 3 日,大约下午 2:30:因“投票操纵”收到 3 天临时禁令
* 10 月 3 日,大约下午 6:51:禁令升级为永久禁令
* 10 月 4 日:提交了包含所有证据的申诉
* 10 月 4 日:申诉被拒绝,未进行调查
*未经授权访问的证据:* 明确的登录来自美国 IP 地址,而我位于法国,并且在过去至少 5 年里一直使用相同的两个(工作/家庭)固定 IP 地址来使用我的账号:
* 165.123.230.107(宾夕法尼亚大学)
* 167.248.80.41(Allo Communications LLC)
Reddit 对我的申诉的回复只是:“您的申诉将不予受理,您的禁令将继续有效”——没有调查,没有考虑显示来自国外 IP 的账号被盗的证据。
*这似乎表明:*
* Reddit 的 2FA 实现中存在安全漏洞
* 复杂的 cookie 窃取恶意软件(尽管没有 AV 检测)
* Reddit 方面存在更广泛的安全问题
最令人担忧的是,Reddit 的申诉系统似乎会自动拒绝请求,即使有明确的账号被盗证据,也不会进行人工审查。十年合法的参与和社区贡献瞬间被抹去,没有任何追索权。
有人遇到过类似的事件吗?当合法的账号恢复申诉在有被盗证据的情况下被自动拒绝时,有哪些选择?
查看原文
My 10-year Reddit account (u/guilamu) was compromised on the night of October 2-3, 2025, despite having proper security measures in place:<p>- Two-factor authentication enabled with authenticator app<p>- Unique password generated by Firefox password manager (never reused, itself protected with 2FA)<p>- Regular activity monitoring<p>- Clean 10-year history with zero moderation issues<p><i>Account statistics:</i><p>- 10 years old account<p>- 3,013 contributions<p>- 185,224 karma (likely the highest karma account on r/france, not flexing because I don't care at all about karma, just pointing out this is not a random new account)<p>- Zero violations or warnings in 10 years<p><i>Attack timeline (CEST):</i><p>- Night of Oct 2-3: Account compromised, attackers posted pornographic content<p>- Oct 3, morning: Discovered the hack, changed password immediately, warned reddit using their contact form<p>- Oct 3, ~2:30 PM: Received 3-day temporary ban for "vote manipulation"<p>- Oct 3, ~6:51 PM: Ban upgraded to permanent<p>- Oct 4: Submitted appeal with all evidence<p>- Oct 4: Appeal denied without investigation<p><i>Evidence of unauthorized access:</i> clear logins from US IP addresses while I'm located in France and always using the same two (work/home) fixed ip address to use my account for the last 5 years at least:<p>- 165.123.230.107 (University of Pennsylvania)<p>- 167.248.80.41 (Allo Communications LLC)<p>Reddit's response to my appeal was simply: "your appeal will not be granted and your ban will remain in place" - no investigation, no consideration of the evidence showing compromised access from foreign IPs.<p><i>This seems to indicate either:</i><p>- A security vulnerability in Reddit's 2FA implementation<p>- Sophisticated cookie theft malware (though no AV detection)<p>- A broader security issue on Reddit's end<p>The most concerning aspect is that Reddit's appeal system appears to automatically deny requests without human review, even when there's clear evidence of account compromise. A decade of legitimate participation and community contribution was wiped out instantly with no recourse.<p>Has anyone experienced similar incidents? What are the options when legitimate account recovery appeals are automatically denied despite evidence of compromise?