A hacker has been stealing and defacing seemingly random subreddits for a couple of weeks—all for shits and giggles and because he was bored.
The hacker, who goes by the name BVM, said he's taken over so many subreddits he's "lost count," but estimates that the number is higher than 70. The popular r/pics, r/starwars, and r/gameofthrones, among others, have seen their homepages defaced in the last few days. BVM said that his exploits are possible thanks to Reddit's crummy security, and its lack of two-factor authentication.
"Reddit's security is shit."
Why is BVM hacking these subreddits?
"No reason really. Just boredom. It's not like it's really a challenge or anything so I just do it to pass time," the hacker told me in an online chat.
BVM, who declined to say anything about his real identity other than saying he is a male, also refused to say exactly how he's taking over and defacing subreddits. But he did admit that he's hacking into moderators' accounts and then changing the CSS style of the pages, replacing it with a note taking responsibility.
As the hacker himself admitted, these hacks didn't really take a lot of skill. BVM is either phishing passwords out of the mods, or bruteforcing their accounts. Given that Reddit doesn't have two-factor authentication (2FA), the password of a mod really is the only barrier of entry to a subreddit.
"Reddit's security is shit," BVM told me. "If Reddit would simply add 2FA it would be a lot harder to get in."
On the bright side, Reddit seems to be responding to these incidents quickly, restoring the subreddits. The site has "a very fast support," according to BVM.
BVM doesn't really put too much thought into choosing his targets. The hacker told me that he either chooses them from the top subreddits according to redditmetrics.com, or uses the site's option to navigate to a random subreddit.
Reddit responded to these ultimately harmless, though annoying hacks, "strongly" recommending the use of unique passwords "for Reddit accounts, separate from other online accounts and entities."
"We take the security of our users and moderators seriously, and are working to implement features that will help bolster account safety in the near future," the company said in a statement to Motherboard, though it didn't specify what kind of new features it's working on.
UPDATE, 4:50 p.m. ET: One of the mods of r/pics who got hacked by BVM reached out to me after we published this article. The mod said that his account was breached because of password reuse. In other words, he was using the same password on Reddit as well as another service or services.
This story has been edited to add Reddit's comment.