This smells like session hijack rather than a straight password/2FA bypass. If an attacker stole a valid cookie (phishing page, malicious extension, or compromised machine), they can ride your session without hitting the 2FA gate. The US IPs plus sudden content spam fits that pattern.
The pragmatic checklist I’d run: log out all devices, rotate password and 2FA, switch to a hardware key/WebAuthn, audit browser extensions (disable anything non‑essential), scan the box, and revoke any third‑party app access tied to Reddit. On the policy side, keep a clear timeline of IPs and actions; in my experience, a concise paper trail sometimes gets a human review even when the first appeal doesn’t. Glad the account is back—hopefully it sticks.
Hello, thank you very much for your very insightful comment!
The cookie theft is also IMHO the most probable scenario. The malicious extension is the only thing that make sense to me.
log out all devices: done
rotate password and 2FA: done
switch to a hardware key/WebAuthn: not done yet
audit browser extensions: done (I'm using only what I think are very "secure" ones: Bypass Paywalls Clean, Control Panel for Twitter , Correcteur d'orthographe et reformulateur — LanguageTool , Google Images Restored, I still don't care about cookies, Keepa - Amazon Price Tracker, Reddit Enhancement Suite, SingleFile , uBlock Origin , Voir image (https://github.com/bijij/ViewImage)
scan the box: done
revoke any third‑party app access tied to Reddit: there are none
Reddit's appeal system should indicate if a human reviewed the decision.
Did it say the words "automation was not used in this decision" or something similar.
I have personally never seen reddit overturn a ban and they don't spend a lot of time on cases because they have so many nonpaying users it probably makes little economic sense for them to do so.
My account have been re-enabled a few hours ago. No reason were given nor even a message. It just works again. Maybe it'll be blocked again tomorrow, I have no idea what happened...
Appeals have always seemed like a waste of time with Reddit. It’s easier for them to just ban the account and not risk second chances. They don’t seem to really care about the users.
I was banned a few years ago over some nonsense. Probably for the best.
> A decade of legitimate participation and community contribution was wiped out instantly with no recourse.
They still have your content & don't care at all about the person who generated it. I'm sorry & hope you find a better place to post and own your content over the next decade.
I was also recently permanently banned by Reddit, the only reason why I can think of is because:
1. periodically like every 3-4 months I would be running a script to delete any and all posts and comments. Also every 1-2 years I would delete my account(s), and start brand-new with new accounts (to avoid doxxing).
2. I had 3 alt accounts, one for professional reasons (AI, coding, etc), one for local interests (NYC), and one for fun/shitposting. All three linked to the same email address.
3. I did not violate any rules (except for running a script), I did not upvoted/downvoted each other's posts or upvoted/downvoted the same post from different accounts, each accounts followed different subs.
IMO Reddit is cleaning up house and surely didn't like my deleting my history.
Maybe the UFC (Union fédérale des consommateur)can help?
Some it magazines also help with these problems.
Disclaimer: i have no idea how the ufc can help or if there are french it magazines. I just looked what i could do in germany and looked at wikipedia what would be the french equivalent.
It does seems like it, but I'm completely puzzled by the level of sophistication the attacker must have gone to hack my account. I mean super strong unique password + 2FA + firewall + AV? What individual can hack that? It just doesn't make any sense...
What AV are you running? You mention it in the post as well. A huge number of these services/tools have major vulnerabilities. (The few I used to recommend/trust really haven't ever worked properly with Windows 11.)
Yes. Many of the forums from the early 2000's and still very much in use today do not have have native voting functions. Some of them have addons/extensions that can add voting. My favorite has always been phpBB [1]. Demo [2]. Instead many of them focused on ranks which are mostly transparent here at HN. New accounts here are green but there are other account related variables behind the scene that make determinations about submissions at HN.
Over the years I've seen cases like this where a company was unresponsive to a single account's breach.
- One user took it to the media. The bad publicity got the attention of top executives, who pressured the accounts team to resolve the situation.
- One user actually just made contact with a well-placed executive and explained the situation. (In your case, that might even be a moderator.)
Also, you're not the only person I've heard who's had trouble with Reddit's account policy. If you could find others like yourself, it'd be a more interesting story for the media, or more likely to get an executive's attention.
I wondered if it could be an "inside job". (Someone disabling 2FA just long enough to log in?) Reddit ticked off its moderators earlier this month, though I'm not sure they'd have have the power to do this.
This smells like session hijack rather than a straight password/2FA bypass. If an attacker stole a valid cookie (phishing page, malicious extension, or compromised machine), they can ride your session without hitting the 2FA gate. The US IPs plus sudden content spam fits that pattern.
The pragmatic checklist I’d run: log out all devices, rotate password and 2FA, switch to a hardware key/WebAuthn, audit browser extensions (disable anything non‑essential), scan the box, and revoke any third‑party app access tied to Reddit. On the policy side, keep a clear timeline of IPs and actions; in my experience, a concise paper trail sometimes gets a human review even when the first appeal doesn’t. Glad the account is back—hopefully it sticks.
Hello, thank you very much for your very insightful comment!
The cookie theft is also IMHO the most probable scenario. The malicious extension is the only thing that make sense to me.
log out all devices: done
rotate password and 2FA: done
switch to a hardware key/WebAuthn: not done yet
audit browser extensions: done (I'm using only what I think are very "secure" ones: Bypass Paywalls Clean, Control Panel for Twitter , Correcteur d'orthographe et reformulateur — LanguageTool , Google Images Restored, I still don't care about cookies, Keepa - Amazon Price Tracker, Reddit Enhancement Suite, SingleFile , uBlock Origin , Voir image (https://github.com/bijij/ViewImage)
scan the box: done
revoke any third‑party app access tied to Reddit: there are none
Anyhow, thank again!
Have you considered contacting the org's abuse email (security@upenn.edu), detailing the above, and asking for an investigation?
The IP doesn't have a negative reputation on Virustotal, which may mean whoever did it was a real person and it was a targeted attack.
Very interesting idea, I hadn't thought of that. I'll contact them tomorrow and update here if I have any kind of answer.
Reddit's appeal system should indicate if a human reviewed the decision.
Did it say the words "automation was not used in this decision" or something similar.
I have personally never seen reddit overturn a ban and they don't spend a lot of time on cases because they have so many nonpaying users it probably makes little economic sense for them to do so.
My account have been re-enabled a few hours ago. No reason were given nor even a message. It just works again. Maybe it'll be blocked again tomorrow, I have no idea what happened...
Thanks for your input.
No, nothing about a human intervention/automation was mentioned.
The exact text is:
> Note: This decision was made without the assistance of automation.
At the end of any messages from the Admin team.
Thanks for the precision. No, I did not get this message.
Appeals have always seemed like a waste of time with Reddit. It’s easier for them to just ban the account and not risk second chances. They don’t seem to really care about the users.
I was banned a few years ago over some nonsense. Probably for the best.
> A decade of legitimate participation and community contribution was wiped out instantly with no recourse.
They still have your content & don't care at all about the person who generated it. I'm sorry & hope you find a better place to post and own your content over the next decade.
I guess I'll just GDPR them and legally request that everything I wrote to be deleted.
I was also recently permanently banned by Reddit, the only reason why I can think of is because:
1. periodically like every 3-4 months I would be running a script to delete any and all posts and comments. Also every 1-2 years I would delete my account(s), and start brand-new with new accounts (to avoid doxxing).
2. I had 3 alt accounts, one for professional reasons (AI, coding, etc), one for local interests (NYC), and one for fun/shitposting. All three linked to the same email address.
3. I did not violate any rules (except for running a script), I did not upvoted/downvoted each other's posts or upvoted/downvoted the same post from different accounts, each accounts followed different subs.
IMO Reddit is cleaning up house and surely didn't like my deleting my history.
C'est la vie!
> I did not violate any rules (except for running a script)
Was running the script against the rules? If so, why include point #3?
Maybe the UFC (Union fédérale des consommateur)can help? Some it magazines also help with these problems.
Disclaimer: i have no idea how the ufc can help or if there are french it magazines. I just looked what i could do in germany and looked at wikipedia what would be the french equivalent.
I really doubt it, but I'll look into it, thanks.
My guess is that you were unknowingly phished outvof your account.
It does seems like it, but I'm completely puzzled by the level of sophistication the attacker must have gone to hack my account. I mean super strong unique password + 2FA + firewall + AV? What individual can hack that? It just doesn't make any sense...
> + firewall + AV
What AV are you running? You mention it in the post as well. A huge number of these services/tools have major vulnerabilities. (The few I used to recommend/trust really haven't ever worked properly with Windows 11.)
Just Windows built-in av. I know it's not the best, but still...
Is an online platform without voting possible?
Yes. Many of the forums from the early 2000's and still very much in use today do not have have native voting functions. Some of them have addons/extensions that can add voting. My favorite has always been phpBB [1]. Demo [2]. Instead many of them focused on ranks which are mostly transparent here at HN. New accounts here are green but there are other account related variables behind the scene that make determinations about submissions at HN.
[1] - https://www.phpbb.com/
[2] - https://www.phpbb.com/demo/
Making a new account is the simplest thing that might work.
Not the least aggravating. Not the most just. Just the simplest. Good luck.
Yup, I'll just do that.
Over the years I've seen cases like this where a company was unresponsive to a single account's breach.
- One user took it to the media. The bad publicity got the attention of top executives, who pressured the accounts team to resolve the situation.
- One user actually just made contact with a well-placed executive and explained the situation. (In your case, that might even be a moderator.)
Also, you're not the only person I've heard who's had trouble with Reddit's account policy. If you could find others like yourself, it'd be a more interesting story for the media, or more likely to get an executive's attention.
I wondered if it could be an "inside job". (Someone disabling 2FA just long enough to log in?) Reddit ticked off its moderators earlier this month, though I'm not sure they'd have have the power to do this.
I wondered if it could be an "inside job"
This is the only thing that makes sense to me from a technical point of view.
The only thing I do not understand is why? What's the point of deleting this account? Who is benefiting from this? I don't get it...