“Security concern” forces Reddit to lock users out of their accounts

Weak password security to blame after the microblogging platform detects a sharp rise in unauthorised account access

Reddit has locked a large number of users out of their accounts after being alerted to a potential security incident in the form of mass-scale unauthorised access.

The microblogging platform blamed a "security concern" for implementing the reset for some members yesterday, claiming it targeted users who were likely to have set weak passwords, or were reusing their details used across multiple sites.

Advertisement - Article continues below

However, it still remains unclear as to whether the move came in response to a reported breach of user accounts or whether it is just a precaution. The platform has rather vaguely cited weak account security among the main reasons behind the action.

"By "security concern," we mean unusual activity that did not correspond to the account's normal behavior that may indicate unauthorized access," Reddit administrator Sporkicide wrote in a post.

"The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services.

"If another site is compromised and those lists of usernames and passwords become available, it's very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk."

Work is now underway to restore access, but the number of users affected is still unknown and it's not clear how long the recovery will take. 

Advertisement - Article continues below
Advertisement - Article continues below

IT Pro has asked Reddit how many users were affected by the forced password reset and whether this was in reaction to a breach or a preemptive measure, but it had not received a response at the time of publication. 

Meanwhile, a handful of members cast doubt on Reddit's claims that only users who deployed weak account security were asked to reset their passwords, suggesting they themselves used tools like algorithmic generators, yet were still locked out.

The platform has also recommended that users "please, please, please make sure you choose strong passwords that are unique to Reddit", and implement two-factor authentication (2FA) to guarantee an additional layer of protection.

Many users have also posted comments flagging unusual activity they had experienced in the last few days, primarily manifesting as unauthorised logins from various locations registered in their absence from the site.

"Again, 330 million users find themselves grappling with the fact that hackers might have had the potential to access a treasure trove of their data, putting their privacy at risk," said chief scientist and McAfee fellow Raj Samani.

Advertisement - Article continues below

"Whilst I commend Reddit's honesty and the precautions they are taking to lock accounts, I cannot stress enough that users themselves need to take steps to secure their personal security immediately.

"It is time for people to wake up to the real threat they face by having the same password linked across their online accounts. If you use the same password for Reddit and a number of other apps and accounts, you need to change it now. A cybercriminal only needs to get their hands on this once to gain access to your personal and even financial information."

The notion of a "security concern" raises alarms after Reddit suffered a major breach earlier this year. Attackers made away with a trove of users' personal details after intercepting password-based 2FA codes used among a number of its own employees.

The microblogging platform also sustained a similar incident in 2016, resetting 100,000 users' passwords in light of concerns that attackers were able to gain access to user accounts following a massive LinkedIn hack four years before.



cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020