Three weeks before, as many as 20 Reddit users, who were part of the r/btc group supporting Bitcoin Cash (BCH), lost their holdings in their hot wallet. The total amount lost was estimated to be between $2,000 and $4,000. An investigation into the theft revealed the novel tactics employed by hackers to steal Bitcoin Cash.
The hacking of BCH hot wallets was accomplished by misusing the tipping facility provided in the social news aggregation site. The tipping process is handled by a bot named Tippr. Once a Reddit member sets the desired amount for donation and activates the facility, Tippr will withdraw from the hot wallet of the donor and send it to the recipient.
The hacker took advantage of vulnerability in the third-party email functionality, provided by Mailgun, to initiate a password reset of the Reddit account. Even users with two-factor authentication were unable to escape from the attack. More importantly, users did not receive any kind of alert about suspicious activity in their emails.
Reddit blamed Mailgun for the incident, resulting in the loss of Bitcoin Cash from the hot wallet. Mailgun accepted their fault, but said the customer payment information was not compromised in any way. Reddit engineer gooeyblob said
“A malicious actor targeted Mailgun and gained access to Reddit’s password reset emails. The nature of the exploit meant that an unauthorized person was able to access the contents of the reset email. This individual did not have access to either Reddit’s system or to a Redditor’s email account. As an immediate precautionary measure, we moved reset emails to an in-house mail server.”
Josh Odom, Mailgun CTO guaranteed that the point of access exploited by the hackers has been closed. Odom also informed that additional security measures have been employed to safeguard users’ data.
“Mailgun has now completed its diagnostic of accounts that were affected and has notified each of the affected users. At this time, we believe less than one percent of our customer base was potentially affected.”
Reddit has also disabled the Tippr bot temporarily. Ironically, Bitcoin supporters and even the administrator of Reddit was blamed for the incident before software engineers identified the manner in which the hacker gained access to the hot wallet.
It is not the first time such an incident is happening. A few years back, Dogecoin wallets were hacked, leading to a loss of about 21 million coins. However, the Doge community joined hands to raise money for victims.