Some hackers are in it for the money, some for politics, and others for the lulz.
A hacker who’s spent the last two weeks hijacking Reddit moderator accounts and defacing their subreddit pages appears to be doing it partly to make a point about Reddit’s security, and also just because he can.
The hacker, going by the Twitter handle BVM (@TehBVM), has apparently been altering the CSS of the subreddit pages to display variations of the message “Jacked by @TehBVM.”
BVM, whose Twitter profile says he offers a “cheap hacking service,” claims to have used credentials stolen from moderators to take over their accounts and alter their subreddit pages.
The hacker won’t say how he’s getting the moderator logins – some have theorized it’s phishing, brute forcing of passwords, or using leaked passwords obtained somewhere else (BVM says on Twitter that it “wasn’t brute force“).
However BVM is getting them, a password is all that’s needed to take over an account.
Reddit doesn’t support two-factor authentication (2FA), which provides an extra layer of security to user accounts by requiring a one-time code to complete the login process.
Most of the big social media websites support 2FA, including Facebook, Twitter and Instagram (Instagram only just added 2FA in February 2016).
BVM had unkind words for Reddit’s security, telling Motherboard that “if Reddit would simply add 2FA it would be a lot harder to get in.”
Although it’s possible some moderators used weak passwords, or re-used passwords from other websites that may have been leaked, one of the moderators who was hacked claims to have used a unique, randomly generated password.
Reddit has been quick to detect the defaced pages, restoring them within a matter of minutes.
Reddit has also been freezing the hijacked moderator accounts and forcing password resets.
This is not the first time moderators have been hacked and subreddits defaced.
Moderator alienth posted two years ago that moderators were being targeted for account break-ins, after several big subreddits were defaced.
Reddit was already “looking into” adding “some form of multi-factor authentication” back in March 2014, alienth claimed.
So, how about it, Reddit?