- Two-factor authentication enabled with authenticator app
- Unique password generated by Firefox password manager (never reused, itself protected with 2FA)
- Regular activity monitoring
- Clean 10-year history with zero moderation issues
Account statistics:
- 10 years old account
- 3,013 contributions
- 185,224 karma (likely the highest karma account on r/france, not flexing because I don't care at all about karma, just pointing out this is not a random new account)
- Zero violations or warnings in 10 years
Attack timeline (CEST):
- Night of Oct 2-3: Account compromised, attackers posted pornographic content
- Oct 3, morning: Discovered the hack, changed password immediately, warned reddit using their contact form
- Oct 3, ~2:30 PM: Received 3-day temporary ban for "vote manipulation"
- Oct 3, ~6:51 PM: Ban upgraded to permanent
- Oct 4: Submitted appeal with all evidence
- Oct 4: Appeal denied without investigation
Evidence of unauthorized access: clear logins from US IP addresses while I'm located in France and always using the same two (work/home) fixed ip address to use my account for the last 5 years at least:
- 165.123.230.107 (University of Pennsylvania)
- 167.248.80.41 (Allo Communications LLC)
Reddit's response to my appeal was simply: "your appeal will not be granted and your ban will remain in place" - no investigation, no consideration of the evidence showing compromised access from foreign IPs.
This seems to indicate either:
- A security vulnerability in Reddit's 2FA implementation
- Sophisticated cookie theft malware (though no AV detection)
- A broader security issue on Reddit's end
The most concerning aspect is that Reddit's appeal system appears to automatically deny requests without human review, even when there's clear evidence of account compromise. A decade of legitimate participation and community contribution was wiped out instantly with no recourse.
Has anyone experienced similar incidents? What are the options when legitimate account recovery appeals are automatically denied despite evidence of compromise?
Did it say the words "automation was not used in this decision" or something similar.
I have personally never seen reddit overturn a ban and they don't spend a lot of time on cases because they have so many nonpaying users it probably makes little economic sense for them to do so.
I was banned a few years ago over some nonsense. Probably for the best.
Disclaimer: i have no idea how the ufc can help or if there are french it magazines. I just looked what i could do in germany and looked at wikipedia what would be the french equivalent.
1. periodically like every 3-4 months I would be running a script to delete any and all posts and comments. Also every 1-2 years I would delete my account(s), and start brand-new with new accounts (to avoid doxxing).
2. I had 3 alt accounts, one for professional reasons (AI, coding, etc), one for local interests (NYC), and one for fun/shitposting. All three linked to the same email address.
3. I did not violate any rules (except for running a script), I did not upvoted/downvoted each other's posts or upvoted/downvoted the same post from different accounts, each accounts followed different subs.
IMO Reddit is cleaning up house and surely didn't like my deleting my history.
C'est la vie!
They still have your content & don't care at all about the person who generated it. I'm sorry & hope you find a better place to post and own your content over the next decade.
Not the least aggravating. Not the most just. Just the simplest. Good luck.
- One user took it to the media. The bad publicity got the attention of top executives, who pressured the accounts team to resolve the situation.
- One user actually just made contact with a well-placed executive and explained the situation. (In your case, that might even be a moderator.)
Also, you're not the only person I've heard who's had trouble with Reddit's account policy. If you could find others like yourself, it'd be a more interesting story for the media, or more likely to get an executive's attention.
I wondered if it could be an "inside job". (Someone disabling 2FA just long enough to log in?) Reddit ticked off its moderators earlier this month, though I'm not sure they'd have have the power to do this.