Did You Get Locked out of Reddit? You Can Now Reset Your Password
If you run an online platform that has hundreds of millions of users, you can never sit back and relax. You need to be on alert constantly, and you need to act quickly if you see something you don't like. Then, when the problem's gone, you have to make sure that everyone knows what happened and why. Yesterday, Reddit's security people were put in a position where they had to prove that they can do all this. How did they fare?
"A large group" of Redditors got locked out of their accounts
On Wednesday, some Reddit users found themselves logged out of their accounts, and when they tried logging back in, the system wouldn't accept the right username and password. The reason for all this wasn't known at the time, and we can only imagine that people didn't feel very good about it. Yesterday, Sporkicide, one of the moderators of the r/help subreddit, finally explained what had happened.
Apparently, the news aggregator's security team noticed some "unusual activity" concerning "a large group of accounts." The affected accounts, Sporkicide's post read, showed behavior that might have indicated unauthorized access. To stop the attack, Reddit locked the accounts down, and yesterday, it allowed their owners to reset their passwords. It seems like the right thing to do, but it must be said that not everything about Reddit's reaction was perfect.
For one, instead of issuing an official announcement, Reddit informed the public about the incident via a post written by a person behind a pseudonym. What's more, some users don't seem to agree with everything in the said post.
Reddit blames credential stuffing, but users aren't convinced
According to Sporkicide's post, the crooks gained unauthorized access to the accounts by entering the right usernames and passwords. Apparently, however, they didn't get them by breaking Reddit's defenses. Sporkicide said that the login credentials were stolen from another service, and that rampant reuse of the compromised passwords let the crooks in. In other words, Reddit thinks it's been targeted by a credential stuffing attack, and to help users protect themselves better, it urged them to use unique passwords for all their accounts.
As soon as you scroll down to see the replies, however, you'll see plenty of affected people who claim that they've been doing this for a while. They say that their Reddit accounts have been protected by a unique password that can't have been stolen from anywhere else. There is no way of knowing if all these people are completely honest, but if they are, Reddit has some explaining to do.
All this comes less than a year after Reddit suffered a fully-fledged data breach. In August, the self-proclaimed "front page of the internet" announced that after intercepting some 2FA codes, hackers were able to compromise the accounts of some Reddit employees and eventually stole personal information belonging to all redditors that were active as of May 2007.
Last year's hacking incident and the current stream of unhappy replies under Sporkicide's announcement don't put Reddit's security people in the best light, and it must be said that they don't do themselves any favors by refusing to disclose the exact number of affected individuals on both occasions. Hopefully, they will manage to avoid any further embarrassment.