"On December 31, Reddit received several reports on password reset emails that were started and completed without the requests of account owners [...] We continue to work with Mailgun [provider that sends email company] to ensure that we have identified all affected accounts. At this time, the total number of confirmed impacted users is less than 20", says site administrator Gooeyblob.
The administrator states that the technical team is taking precautionary measures since they were notified of the security threat. "We know this is frustrating for the user, and we put additional controls in place to help ensure this does not happen again", added Gooeyblob.
The Mailgun also issued a statement on the subject, warning that his API key was compromised. "On January 3, 2018, Mailgun became aware of an incident in which customer's API key was compromised and immediately began diagnosing to help determine the cause and extent of the impact," explains CTO Josh Odom. "At that time, we were able to determine that the attack was caused by an account of the Mailgun employee that was compromised by an unauthorized user."