Mass Subreddit Defacements via Hijacked Moderator Accounts (TehBVM, 2016)

Beginning around May 4, 2016, users noticed that a string of large, popular subreddits had been defaced. Among the affected communities were r/pics, r/gameofthrones, r/starwars, r/books, r/marvel, and r/robocraft, with reports of dozens of subreddits altered over a period of days. The defacements typically took the form of changed cover images, banners, and custom CSS — the cosmetic styling that subreddit moderators control — turning the look of widely followed communities into a vehicle for the attacker's message.

The perpetrator operated under the handle TehBVM and claimed on Twitter to have compromised more than a hundred subreddits in total. Crucially, this was not a breach of Reddit's own infrastructure. The attacker did not exploit a server-side vulnerability; instead, the compromise ran through individual moderator accounts. Security researchers and contemporaneous reporting attributed the takeovers to credential reuse — TehBVM appeared to be leveraging username-and-password pairs exposed in unrelated third-party data breaches, betting that some Reddit moderators had reused the same credentials, and the affected accounts were not protected by two-factor authentication, which Reddit offered but did not require.

TehBVM framed the campaign explicitly as a demonstration of weak security posture: by seizing control of high-profile communities through nothing more than recycled passwords, the attacker argued, Reddit was showing how exposed it was to credential-stuffing-style takeovers and how badly it needed to push two-factor authentication. In that sense the defacements were a public proof-of-concept rather than an attempt at data theft, though the distinction offered little comfort to the moderators whose communities were hijacked.

The timing tied the episode tightly to Reddit's broader credential crisis of that month. The same May 2016 window saw the expanded 2012 LinkedIn breach surface roughly 117 million credentials onto criminal markets, fueling account-takeover waves across the internet, and Reddit responded by force-resetting around 100,000 accounts it flagged for takeover risk. The subreddit defacements were the most visible, public-facing face of that wave: where the credential-stuffing resets were largely invisible to ordinary users, watching major subreddits get defaced one after another made the underlying password-hygiene problem impossible to ignore.

The incident is significant as an early, well-documented case of moderator-account compromise being used to seize the public presence of major communities — a distinct harm from a data breach, since the damage was to community control and trust rather than to a database. It foreshadowed the larger 2020 pro-Trump defacement wave, which would again exploit moderator accounts lacking 2FA, and it reinforced the recurring lesson that on Reddit the security of vast communities can hinge on the password choices of a handful of volunteer moderators.