Reddit forces password reset of 100,000 users

A flurry of hacked accounts has forced Reddit to take action.
Written by Charlie Osborne, Contributing Writer

Reddit is enforcing the reset of 100,000 user accounts in the wake of a stream of hacked accounts.


A "general uptick" in account hijacking and takeovers, mainly by malicious -- and spam-based -- third-parties has prompted the move, according to the forum.

In a blog post this week, Reddit said that the increased rate of account takeovers comes on the heels of recent password dumps, such as the LinkedIn data breach which led to the release of data belonging to millions of users.

Reddit itself has not been compromised. Rather, password dumps, weak password choice and reusing the same account credentials for different sites are contributing to the problem.

"We've ramped up our ability to detect the takeovers, and sent out 100k password resets in the last 2 weeks," Reddit says. "More are to come as we continue to verify and validate that no one except for you is using your account."

Reddit engineer "KeyserSosa", otherwise known as Christopher Slowe, advised users who receive the reset request to choose a strong, unique password and use one set of credentials for the forum alone.

Slowe also recommends that users set and verify an email address. While email addresses are not required, if your account is taken over, the email address can be used to reset your account.

In addition, the engineer noted that users can check their account activity page to keep an eye out for strange activity, such as odd locations for logging in -- which may mean the account has been compromised.

In order to reduce the surface area for potential attacks, Reddit is also planning to tackle the problem of throwaway accounts. While these types of accounts are fine in themselves, Reddit has "tons" of abandoned accounts which have never posted, voted and have not been logged into for several years.

These throwaway accounts will also be subject to the password reset spree. However, if these accounts are not logged into within a month, they are going to be deleted.

"If ATOs [account takeovers] are a brush fire, abandoned, unused accounts are dry kindling," Slowe said.

The engineer also revealed that Reddit is considering enabling two-factor authentication in the future for accounts below the administration level, but integration issues with apps and different clients pose a challenge.

This is the second notable security incident to hit the website in recent weeks. In May, a "bored" hacker took over a number of subreddits on the forum, defacing them and stealing data -- just for fun.

Top tips to stay safe on public Wi-Fi networks

Read on: Top picks

Editorial standards