NERD WATERCOOLER Reddit this week locked some users out of their accounts and forced password resets after sighting “unusual activity” on the website.
A post from Reddit admin u/Sporkicide explains that a “large group of accounts were locked down due to a security concern”, clarifying: “by ‘security concern,’ we mean unusual activity that did not correspond to the account’s normal behaviour that may indicate unauthorized access.”
While it’s not yet entirely clear what form this so-called unusual activity took, u/Sporkicide suggests that bad password practices lead to a credential stuffing attack; this is when hackers attempt to use compromised usernames and passwords previously stolen from another source to access other, unrelated websites in the hope that the user entered the same details.
“If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk,” u/Sporkicide explains.
Some Reddit users are speculating, however, that a credential stuffing attack is a possible explanation for the lockdown, saying that their Reddit credentials were unique and sufficiently strong. Bleeping Computer reports that some are even suggesting that Reddit has suffered a large-scale account hijacking, similar to what happened recently to 50 million Facebook accounts.
Reddit’s post goes on to explain that “over the next few hours, affected accounts will be allowed to reset their passwords to be unlocked and restored”.
“Please, please, please make sure you choose strong passwords that are unique to Reddit,” u/Sporkicide pleads.
“I also encourage you to take this opportunity to make sure your email address is up to date to enable automated password resets and to add two-factor authentication to further secure your account.”µ
Source : Inquirer