A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a “security concern.”

The lockout occurred as Reddit’s security team investigates what appears to have been an attempt to log into many users’ accounts through a credential-stuffing attack.

In a post on Reddit’s Help subreddit, admin Sporkicide explained that the site had detected unusual behavior suggestive of a hacker gaining control to users’ accounts.

The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.

Credential-stuffing attacks see hackers using stolen passwords from other data breaches to launch automated systems against sites in an attempt to compromise accounts. Such attacks take advantage of the fact that so many internet users persist in recycling passwords rather than choosing unique hard-to-crack passwords to defend their online accounts.

Most Reddit users first learned of the issue when some of them received emails from the site telling them that they should reset their passwords and ensure that they were not using the same password anywhere else online.

Unfortunately, according to Sporkicide, Reddit messed up some of its communications by incorrectly informing some affected users that their accounts had been suspended.

Things were also made somewhat more confusing by an unusual aspect of how Reddit works. Unlike many other websites, Reddit allows users to access the site without initially setting a password, meaning (Read more...)