Reddit announced it would require users to reset their passwords following the release of a dataset containing 100 million LinkedIn emails and password combinations from a 2012 breach.
While Reddit did not refer directly mention the release of LinkedIn data, founding engineer Christopher Slowe (KeyserSosa) stated that the decision was prompted by "a general uptick in account takeovers (ATOs) by malicious (or at best spammy) third parties."
Slowe expressed concerns that users who apply the same passwords and usernames on multiple platforms could be affected, though he was careful in clarifying that the social news site was not breached.” Though Reddit itself has not been exploited, even the best security in the world won't work when users are reusing passwords between sites,” he wrote. “We've ramped up our ability to detect the takeovers, and sent out 100k password resets in the last two weeks.”
The password reset is the latest indication that web users have not yet changed behaviours to incorporate best practices recommended by information security professionals, as companies attempt to secure user information by planning for poor decision-making at the outset. For example, Microsoft said this week it would prevent users from selecting commonly-used passwords that appear on breach lists.
“Right now, the burden is entirely on the companies to secure user information, while their users try to figure out the easiest most complex password that they can remember,” said Alex Holden, chief information security officer (CISO) at Hold Security. His firm recovers hacked email and password information, often by intercepting private communication between hackers. Over the last 2.5 years, Hold said his firm has recovered 2.5 billion credential pairs of user IDs and passwords.
Chris Vickery, a security researcher who has reported a series of MongoDB leaks, agreed, noting that “loose security is more profitable than responsible data management.” He said, “The percentage of breaches that get reported is abysmally low and the odds of a company being fined are slim.”
Researchers say the task of companies attempting to protect user information when users recycle passwords across multiple platforms and services will only become more difficult. “The irony is that as these password resets become more common is, it opens the door to another vector of attack,” said OneLogin VP engineering David Meyer, speaking with SCMagazine.com. “One of the most common phishing attacks is asking someone to reset something because they are replacing the old with the new.”