Reddit Locks Accounts, Issues Password Warning after Credential Stuffing Attack

Reddit, the popular social media platform with over 330 million unique monthly users, has been forced to block access for a “large group of accounts” in a security incident.

A Reddit blog by “Sporkicide cited “unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access.”

They added: “The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services.”

With 517 Million Passwords Leaked, Such Attacks are Common

“If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work”, they added – a so-called “credential stuffing” attack.

(There are over 517 million “real world” passwords in circulation that have been exposed in previous data breaches, according to haveibeenpwned.com).

Reddit Account Attack: Password Recycling Has to Stop

Raj Samani, Chief Scientist and McAfee Fellow said in an emailed comment: “Whilst I commend Reddit’s honesty and the precautions they are taking to lock accounts, I cannot stress enough that users themselves need to take steps to secure their personal security immediately. It is time for people to wake up to the real threat they face by having the same password linked across their online accounts.

“Recent McAfee research revealed a third of people rely on the same three passwords for every account they are signed up to. If you use the same password for Reddit and a number of other apps and accounts, you need to change it NOW. A cybercriminal only needs to get their hands on this once to gain access to your personal and even financial information. We know it’s hard to remember all your passwords but using a password generator and manager can help solve this problem and ensure you don’t become an easy target for these sophisticated cybercriminals.”

In response from one user asking how often Reddit users are prompted to review their security settings and how often are they encouraged to set up two-factor authentification (2FA) Reddit’s Sporkicide admitted: “Not often enough and we know it 🙂 Those are good ideas and we definitely would like to put more intuitive account security features in place soon.”

One approach is to use a password manager. Should you use one?

According to the UK’s National Cyber Security Centre (NCSC) the answer is an unequivocal “yes”.