“Security concern” forces Reddit to lock users out of their accounts

Reddit has locked a large number of users out of their accounts after being alerted to a potential security incident in the form of mass-scale unauthorised access.

The microblogging platform blamed a "security concern" for implementing the reset for some members yesterday, claiming it targeted users who were likely to have set weak passwords, or were reusing their details used across multiple sites.

However, it still remains unclear as to whether the move came in response to a reported breach of user accounts or whether it is just a precaution. The platform has rather vaguely cited weak account security among the main reasons behind the action.

"By "security concern," we mean unusual activity that did not correspond to the account's normal behavior that may indicate unauthorized access," Reddit administrator Sporkicide wrote in a post.

"The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services.

"If another site is compromised and those lists of usernames and passwords become available, it's very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk."

Work is now underway to restore access, but the number of users affected is still unknown and it's not clear how long the recovery will take.

IT Pro has asked Reddit how many users were affected by the forced password reset and whether this was in reaction to a breach or a preemptive measure, but it had not received a response at the time of publication.

Meanwhile, a handful of members cast doubt on Reddit's claims that only users who deployed weak account security were asked to reset their passwords, suggesting they themselves used tools like algorithmic generators, yet were still locked out.

The platform has also recommended that users "please, please, please make sure you choose strong passwords that are unique to Reddit", and implement two-factor authentication (2FA) to guarantee an additional layer of protection.

Many users have also posted comments flagging unusual activity they had experienced in the last few days, primarily manifesting as unauthorised logins from various locations registered in their absence from the site.

"Again, 330 million users find themselves grappling with the fact that hackers might have had the potential to access a treasure trove of their data, putting their privacy at risk," said chief scientist and McAfee fellow Raj Samani.

"Whilst I commend Reddit's honesty and the precautions they are taking to lock accounts, I cannot stress enough that users themselves need to take steps to secure their personal security immediately.

"It is time for people to wake up to the real threat they face by having the same password linked across their online accounts. If you use the same password for Reddit and a number of other apps and accounts, you need to change it now. A cybercriminal only needs to get their hands on this once to gain access to your personal and even financial information."

The notion of a "security concern" raises alarms after Reddit suffered a major breach earlier this year. Attackers made away with a trove of users' personal details after intercepting password-based 2FA codes used among a number of its own employees.

The microblogging platform also sustained a similar incident in 2016, resetting 100,000 users' passwords in light of concerns that attackers were able to gain access to user accounts following a massive LinkedIn hack four years before.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.