Hatchet News

Ask HN: 10-Year Reddit Account Hacked Despite 2FA [updated]

2427guilamu
My 10-year Reddit account (u/guilamu) was compromised on the night of October 2-3, 2025, despite having proper security measures in place:

- Two-factor authentication enabled with authenticator app

- Unique password generated by Firefox password manager (never reused, itself protected with 2FA)

- Regular activity monitoring

- Clean 10-year history with zero moderation issues

Account statistics:

- 10 years old account

- 3,013 contributions

- 185,224 karma (likely the highest karma account on r/france, not flexing because I don't care at all about karma, just pointing out this is not a random new account)

- Zero violations or warnings in 10 years

Attack timeline (CEST):

- Night of Oct 2-3: Account compromised, attackers posted pornographic content

- Oct 3, morning: Discovered the hack, changed password immediately, warned reddit using their contact form

- Oct 3, ~2:30 PM: Received 3-day temporary ban for "vote manipulation"

- Oct 3, ~6:51 PM: Ban upgraded to permanent

- Oct 4: Submitted appeal with all evidence

- Oct 4: Appeal denied without investigation

Evidence of unauthorized access: clear logins from US IP addresses while I'm located in France and always using the same two (work/home) fixed ip address to use my account for the last 5 years at least:

- 165.123.230.107 (University of Pennsylvania)

- 167.248.80.41 (Allo Communications LLC)

Reddit's response to my appeal was simply: "your appeal will not be granted and your ban will remain in place" - no investigation, no consideration of the evidence showing compromised access from foreign IPs.

This seems to indicate either:

- A security vulnerability in Reddit's 2FA implementation

- Sophisticated cookie theft malware (though no AV detection)

- A broader security issue on Reddit's end

The most concerning aspect is that Reddit's appeal system appears to automatically deny requests without human review, even when there's clear evidence of account compromise. A decade of legitimate participation and community contribution was wiped out instantly with no recourse.

Has anyone experienced similar incidents? What are the options when legitimate account recovery appeals are automatically denied despite evidence of compromise?