请问HN:10年老的Reddit账户在启用双重身份验证的情况下被黑客攻击。
我的10年Reddit账户(u/guilamu)在2025年10月2日至3日夜间被入侵,尽管我采取了适当的安全措施:
- 启用了双因素认证,使用了身份验证应用
- 通过Firefox密码管理器生成的独特密码(从未重复使用,且自身也受到双因素认证保护)
- 定期监控活动
- 10年历史记录干净,没有任何管理问题
*账户统计信息:*
- 账户已创建10年
- 贡献次数:3,013
- 185,224点karma(可能是r/france上karma最高的账户,不是炫耀,因为我根本不在乎karma,只是指出这不是一个随机的新账户)
- 10年来没有任何违规或警告
*攻击时间线(中欧夏令时间):*
- 10月2日至3日夜间:账户被入侵,攻击者发布了色情内容
- 10月3日早上:发现被黑,立即更改密码,通过联系表单警告Reddit
- 10月3日下午约2:30:因“投票操控”收到3天的临时禁令
- 10月3日下午约6:51:禁令升级为永久禁令
- 10月4日:提交了包含所有证据的上诉
- 10月4日:上诉被拒绝,未进行调查
*未经授权访问的证据:* 从美国IP地址的明显登录记录,而我位于法国,并且在过去至少5年中始终使用同两个(工作/家庭)固定IP地址访问我的账户:
- 165.123.230.107(宾夕法尼亚大学)
- 167.248.80.41(Allo Communications LLC)
Reddit对我上诉的回应仅是:“您的上诉不会被批准,禁令将继续有效”——没有调查,也没有考虑显示来自外国IP的被入侵访问的证据。
*这似乎表明:*
- Reddit的双因素认证实施存在安全漏洞
- 复杂的cookie盗窃恶意软件(尽管没有杀毒软件检测到)
- Reddit方面存在更广泛的安全问题
最令人担忧的方面是,Reddit的上诉系统似乎会在没有人工审核的情况下自动拒绝请求,即使有明确的账户被入侵的证据。十年的合法参与和社区贡献瞬间被抹去,毫无补救措施。
有没有人经历过类似事件?当合法的账户恢复上诉在有被入侵证据的情况下被自动拒绝时,有哪些选择?
查看原文
My 10-year Reddit account (u/guilamu) was compromised on the night of October 2-3, 2025, despite having proper security measures in place:<p>- Two-factor authentication enabled with authenticator app<p>- Unique password generated by Firefox password manager (never reused, itself protected with 2FA)<p>- Regular activity monitoring<p>- Clean 10-year history with zero moderation issues<p><i>Account statistics:</i><p>- 10 years old account<p>- 3,013 contributions<p>- 185,224 karma (likely the highest karma account on r/france, not flexing because I don't care at all about karma, just pointing out this is not a random new account)<p>- Zero violations or warnings in 10 years<p><i>Attack timeline (CEST):</i><p>- Night of Oct 2-3: Account compromised, attackers posted pornographic content<p>- Oct 3, morning: Discovered the hack, changed password immediately, warned reddit using their contact form<p>- Oct 3, ~2:30 PM: Received 3-day temporary ban for "vote manipulation"<p>- Oct 3, ~6:51 PM: Ban upgraded to permanent<p>- Oct 4: Submitted appeal with all evidence<p>- Oct 4: Appeal denied without investigation<p><i>Evidence of unauthorized access:</i> clear logins from US IP addresses while I'm located in France and always using the same two (work/home) fixed ip address to use my account for the last 5 years at least:<p>- 165.123.230.107 (University of Pennsylvania)<p>- 167.248.80.41 (Allo Communications LLC)<p>Reddit's response to my appeal was simply: "your appeal will not be granted and your ban will remain in place" - no investigation, no consideration of the evidence showing compromised access from foreign IPs.<p><i>This seems to indicate either:</i><p>- A security vulnerability in Reddit's 2FA implementation<p>- Sophisticated cookie theft malware (though no AV detection)<p>- A broader security issue on Reddit's end<p>The most concerning aspect is that Reddit's appeal system appears to automatically deny requests without human review, even when there's clear evidence of account compromise. A decade of legitimate participation and community contribution was wiped out instantly with no recourse.<p>Has anyone experienced similar incidents? What are the options when legitimate account recovery appeals are automatically denied despite evidence of compromise?