M
Ask HN
Ask HN: 10-Year Reddit Account Hacked Despite 2FA [updated]
My 10-year Reddit account (u/guilamu) was compromised on the night of October 2-3, 2025, despite having proper security measures in place:

- Two-factor authentication enabled with authenticator app

- Unique password generated by Firefox password manager (never reused, itself protected with 2FA)

- Regular activity monitoring

- Clean 10-year history with zero moderation issues

Account statistics:

- 10 years old account

- 3,013 contributions

- 185,224 karma (likely the highest karma account on r/france, not flexing because I don't care at all about karma, just pointing out this is not a random new account)

- Zero violations or warnings in 10 years

Attack timeline (CEST):

- Night of Oct 2-3: Account compromised, attackers posted pornographic content

- Oct 3, morning: Discovered the hack, changed password immediately, warned reddit using their contact form

- Oct 3, ~2:30 PM: Received 3-day temporary ban for "vote manipulation"

- Oct 3, ~6:51 PM: Ban upgraded to permanent

- Oct 4: Submitted appeal with all evidence

- Oct 4: Appeal denied without investigation

Evidence of unauthorized access: clear logins from US IP addresses while I'm located in France and always using the same two (work/home) fixed ip address to use my account for the last 5 years at least:

- 165.123.230.107 (University of Pennsylvania)

- 167.248.80.41 (Allo Communications LLC)

Reddit's response to my appeal was simply: "your appeal will not be granted and your ban will remain in place" - no investigation, no consideration of the evidence showing compromised access from foreign IPs.

This seems to indicate either:

- A security vulnerability in Reddit's 2FA implementation

- Sophisticated cookie theft malware (though no AV detection)

- A broader security issue on Reddit's end

The most concerning aspect is that Reddit's appeal system appears to automatically deny requests without human review, even when there's clear evidence of account compromise. A decade of legitimate participation and community contribution was wiped out instantly with no recourse.

Has anyone experienced similar incidents? What are the options when legitimate account recovery appeals are automatically denied despite evidence of compromise?

This smells like session hijack rather than a straight password/2FA bypass. If an attacker stole a valid cookie (phishing page, malicious extension, or compromised machine), they can ride your session without hitting the 2FA gate. The US IPs plus sudden content spam fits that pattern.

The pragmatic checklist I’d run: log out all devices, rotate password and 2FA, switch to a hardware key/WebAuthn, audit browser extensions (disable anything non‑essential), scan the box, and revoke any third‑party app access tied to Reddit. On the policy side, keep a clear timeline of IPs and actions; in my experience, a concise paper trail sometimes gets a human review even when the first appeal doesn’t. Glad the account is back—hopefully it sticks.

Hello, thank you very much for your very insightful comment!

The cookie theft is also IMHO the most probable scenario. The malicious extension is the only thing that make sense to me.

log out all devices: done

rotate password and 2FA: done

switch to a hardware key/WebAuthn: not done yet

audit browser extensions: done (I'm using only what I think are very "secure" ones: Bypass Paywalls Clean, Control Panel for Twitter , Correcteur d'orthographe et reformulateur — LanguageTool , Google Images Restored, I still don't care about cookies, Keepa - Amazon Price Tracker, Reddit Enhancement Suite, SingleFile , uBlock Origin , Voir image (https://github.com/bijij/ViewImage)

scan the box: done

revoke any third‑party app access tied to Reddit: there are none

Anyhow, thank again!

Even if none of these extensions were malicious, they might have some vulnerability that would allow and attacker to get your cookie? Or the developers of those might have unknowingly been phished like what happened last December.

Sorry for just offering speculation, hopefully you figure it out. Even if it was "only" a Reddit account, the feeling of not knowing how it happened and if other things are at risk must be horrible.

https://crxplorer.com/ might help you to inspect your extensions a bit deeper if you are interested and have the knowledge.

And finally, just a comment, passkeys/webauthn/fido keys would not protect against a session cookie theft. They only prevent the login stage from being phished.

Reddit's appeal system should indicate if a human reviewed the decision.

Did it say the words "automation was not used in this decision" or something similar.

I have personally never seen reddit overturn a ban and they don't spend a lot of time on cases because they have so many nonpaying users it probably makes little economic sense for them to do so.

My account have been re-enabled a few hours ago. No reason were given nor even a message. It just works again. Maybe it'll be blocked again tomorrow, I have no idea what happened...
Thanks for your input.

No, nothing about a human intervention/automation was mentioned.

The exact text is:

> Note: This decision was made without the assistance of automation.

At the end of any messages from the Admin team.

Thanks for the precision. No, I did not get this message.
> A decade of legitimate participation and community contribution was wiped out instantly with no recourse.

They still have your content & don't care at all about the person who generated it. I'm sorry & hope you find a better place to post and own your content over the next decade.

I guess I'll just GDPR them and legally request that everything I wrote to be deleted.
Appeals have always seemed like a waste of time with Reddit. It’s easier for them to just ban the account and not risk second chances. They don’t seem to really care about the users.

I was banned a few years ago over some nonsense. Probably for the best.

Over the years I've seen cases like this where a company was unresponsive to a single account's breach.

- One user took it to the media. The bad publicity got the attention of top executives, who pressured the accounts team to resolve the situation.

- One user actually just made contact with a well-placed executive and explained the situation. (In your case, that might even be a moderator.)

Also, you're not the only person I've heard who's had trouble with Reddit's account policy. If you could find others like yourself, it'd be a more interesting story for the media, or more likely to get an executive's attention.

I wondered if it could be an "inside job". (Someone disabling 2FA just long enough to log in?) Reddit ticked off its moderators earlier this month, though I'm not sure they'd have have the power to do this.

I wondered if it could be an "inside job"

This is the only thing that makes sense to me from a technical point of view.

The only thing I do not understand is why? What's the point of deleting this account? Who is benefiting from this? I don't get it...

Have you considered contacting the org's abuse email (security@upenn.edu), detailing the above, and asking for an investigation?

The IP doesn't have a negative reputation on Virustotal, which may mean whoever did it was a real person and it was a targeted attack.

Very interesting idea, I hadn't thought of that. I'll contact them tomorrow and update here if I have any kind of answer.
I was also recently permanently banned by Reddit, the only reason why I can think of is because:

1. periodically like every 3-4 months I would be running a script to delete any and all posts and comments. Also every 1-2 years I would delete my account(s), and start brand-new with new accounts (to avoid doxxing).

2. I had 3 alt accounts, one for professional reasons (AI, coding, etc), one for local interests (NYC), and one for fun/shitposting. All three linked to the same email address.

3. I did not violate any rules (except for running a script), I did not upvoted/downvoted each other's posts or upvoted/downvoted the same post from different accounts, each accounts followed different subs.

IMO Reddit is cleaning up house and surely didn't like my deleting my history.

C'est la vie!

> I did not violate any rules (except for running a script)

Was running the script against the rules? If so, why include point #3?

Maybe the UFC (Union fédérale des consommateur)can help? Some it magazines also help with these problems.

Disclaimer: i have no idea how the ufc can help or if there are french it magazines. I just looked what i could do in germany and looked at wikipedia what would be the french equivalent.

I really doubt it, but I'll look into it, thanks.
My guess is that you were unknowingly phished outvof your account.
It does seems like it, but I'm completely puzzled by the level of sophistication the attacker must have gone to hack my account. I mean super strong unique password + 2FA + firewall + AV? What individual can hack that? It just doesn't make any sense...
> + firewall + AV

What AV are you running? You mention it in the post as well. A huge number of these services/tools have major vulnerabilities. (The few I used to recommend/trust really haven't ever worked properly with Windows 11.)

Just Windows built-in av. I know it's not the best, but still...
  • pwlm
  • ·
  • 2 days ago
  • ·
  • [ - ]
Is an online platform without voting possible?
Yes. Many of the forums from the early 2000's and still very much in use today do not have have native voting functions. Some of them have addons/extensions that can add voting. My favorite has always been phpBB [1]. Demo [2]. Instead many of them focused on ranks which are mostly transparent here at HN. New accounts here are green but there are other account related variables behind the scene that make determinations about submissions at HN.

[1] - https://www.phpbb.com/

[2] - https://www.phpbb.com/demo/

Making a new account is the simplest thing that might work.

Not the least aggravating. Not the most just. Just the simplest. Good luck.

Yup, I'll just do that.
[dead]