Some Reddit users discovered they were locked out of their own accounts earlier this week after an apparent credential stuffing attack compelled the popular website to invoke password security measures.
An admin post published on Reddit’s Help subreddit this past Wednesday advises users that a "large group of accounts were locked down" due to anomalous activity suggesting unauthorised access. Consequently, affected users were informed they would have to rest their passwords to regain access.
In a credential stuffing attack, malicious actors attempt to use passwords previously stolen from one source to illegally access other, unrelated websites and online services, in hopes that the user entered the same credentials.
The Reddit admin, Sporkicide, implored users who were resetting their credentials to choose strong, unique passwords and employ two-factor authentication.
According to security expert Graham Cluley via the Tripwire blog, Reddit experienced complications while responding to the threat. For starters, Reddit misinformed certain users that their accounts were suspended when they were actually just locked out as a precaution. The website later corrected this mistake.
Secondly, "Unlike many other websites, Reddit allows users to access the site without initially setting a password, meaning that there can be no password to reset," Cluley explained in the post. "In such instances, users are advised to occasionally revisit the site in their browser to see if their access has been restored." Moreover, Cluley reported that Reddit users are not required to link an email address their accounts, meaning the website does not have a way to directly alert these particular users of the security issue.
This article was originally published on SC Media US.