“Security concern” forces Reddit to lock users out of their accounts

Weak password security to blame after the microblogging platform detects a sharp rise in unauthorised account access

Reddit has locked a large number of users out of their accounts after being alerted to a potential security incident in the form of mass-scale unauthorised access.

The microblogging platform blamed a "security concern" for implementing the reset for some members yesterday, claiming it targeted users who were likely to have set weak passwords, or were reusing their details used across multiple sites.

However, it still remains unclear as to whether the move came in response to a reported breach of user accounts or whether it is just a precaution. The platform has rather vaguely cited weak account security among the main reasons behind the action.

"By "security concern," we mean unusual activity that did not correspond to the account's normal behavior that may indicate unauthorized access," Reddit administrator Sporkicide wrote in a post.

"The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services.

"If another site is compromised and those lists of usernames and passwords become available, it's very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk."

Work is now underway to restore access, but the number of users affected is still unknown and it's not clear how long the recovery will take. 

IT Pro has asked Reddit how many users were affected by the forced password reset and whether this was in reaction to a breach or a preemptive measure, but it had not received a response at the time of publication. 

Meanwhile, a handful of members cast doubt on Reddit's claims that only users who deployed weak account security were asked to reset their passwords, suggesting they themselves used tools like algorithmic generators, yet were still locked out.

The platform has also recommended that users "please, please, please make sure you choose strong passwords that are unique to Reddit", and implement two-factor authentication (2FA) to guarantee an additional layer of protection.

Many users have also posted comments flagging unusual activity they had experienced in the last few days, primarily manifesting as unauthorised logins from various locations registered in their absence from the site.

"Again, 330 million users find themselves grappling with the fact that hackers might have had the potential to access a treasure trove of their data, putting their privacy at risk," said chief scientist and McAfee fellow Raj Samani.

"Whilst I commend Reddit's honesty and the precautions they are taking to lock accounts, I cannot stress enough that users themselves need to take steps to secure their personal security immediately.

"It is time for people to wake up to the real threat they face by having the same password linked across their online accounts. If you use the same password for Reddit and a number of other apps and accounts, you need to change it now. A cybercriminal only needs to get their hands on this once to gain access to your personal and even financial information."

The notion of a "security concern" raises alarms after Reddit suffered a major breach earlier this year. Attackers made away with a trove of users' personal details after intercepting password-based 2FA codes used among a number of its own employees.

The microblogging platform also sustained a similar incident in 2016, resetting 100,000 users' passwords in light of concerns that attackers were able to gain access to user accounts following a massive LinkedIn hack four years before.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

What is DevSecOps and why is it important?
Security

What is DevSecOps and why is it important?

30 Oct 2020
Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle
Security

Weekly threat roundup: NHS COVID-19 app, Nvidia, and Oracle

30 Oct 2020
Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020

Most Popular

Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020
What is Neuralink?
Technology

What is Neuralink?

24 Oct 2020
Hackers demand ransom from therapy patients after clinic data breach
Security

Hackers demand ransom from therapy patients after clinic data breach

27 Oct 2020