Accounts of some Reddit users have been locked out or suspended due to irregular behavior that could suggest unauthorized access. The Reddit security team has stated that they plan on allowing affected users to perform a password reset in a few hours time.
The suspected cause for the unusual activity seen from the locked accounts is a credential stuffing attack, which takes advantage of users’ practice of reusing the same login password for multiple websites and online services.
Recycling credentials is a dangerous habit because it presents a hacker with the opportunity to test stolen username/password across other services. If they work, the attacker gains access to other accounts with minimum effort.
Unauthorized access spotted in some cases
Some users are not convinced that a credential stuffing attack is a possible explanation for the precautionary measure, saying that their Reddit credentials were unique and sufficiently strong.
One member suggested a “check for reddit data/security leaks instead of only user-errors.” Another suggested a large scale account hijacking scenario, similar to what happened recently to 50 million Facebook accounts due to a vulnerability that allowed the stealing of access tokens.
However, multiple users reported that the activity log for their account showed that it had been accessed from different countries (Italy, Brazil, Russia, Bangladesh, Thailand). One of them admitted to having a simple password.
Users slowly regaining access to their accounts
It is unclear how many accounts have been locked, but in a post a few hours ago, Reddit admin Sporkicide refers to “a large group of accounts.”
Reddit is working on establishing normal access conditions and affected users with an email address associated to the Reddit account should receive a notification to reset their password.
However, access to Reddit is possible without a password, and Sporkicide says that users falling in this category should try the login page until they are able to gain access again; this does not mean, though, that you should constantly refresh the page until access is permitted.
Another way to receive the notification is if you have added an email address to any support ticket you sent in.
A user stated they received the password notification below after initially being delivered a note informing that their account had been permanently suspended for breaking the rules. He claims he had done nothing wrong to get the suspension.
“It may be a little while before you receive your notice, but please be patient. There’s no need to file additional support tickets or send messages to the admins at this time,” Sporkicide says.
At the moment, some users have regained access to their Reddit account, but others are still waiting for the password reset notification.
Sporkicide urges users to choose strong, unique passwords and encourages adding a valid email address to the account and turning on two-factor authentication (2FA) protection.
The recommendation from Reddit’s security team is to use at least 12 characters for the password, or, better yet, a short sentence.