A large number of Reddit users have been locked out of their accounts as a precaution while the site’s admins investigate potential unauthorized access.
Staffer “Sporkicide” would not disclose exactly how many users were affected by the move, but claimed in a post yesterday that “a large group of accounts were locked down due to a security concern.”
“By ‘security concern,’ we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access,” the admin continued.
“The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.”
These credential stuffing attacks, facilitated by automated software which injects breached credentials into other sites to crack accounts, is set to become ever more popular in 2019, according to one security vendor.
“Breached credentials will be actively and heavily used in fraudulent transactions as cyber-criminals take the next logical step after amassing data breach info dumps in past years: using these stolen credentials,” Trend Micro predicted in a recent report.
However, some of those commenting on the security notice claimed they used strong, site-specific credentials for Reddit. One even suggested the incident could be the result of a session hijacking attack of the same kind that led to the theft of access tokens for 30 million Facebook accounts last year.
Reddit is no stranger to security incidents: last year it suffered a major breach of user data after hackers first cracked staff accounts by intercepting SMS-based two-factor authentication codes.
Sporkicide claimed yesterday that over “the next few hours” affected account holders will be able to reset their passwords.
Jarrod Overson, director of engineering at Shape Security, claimed Reddit accounts are prized as they can be used to push malicious content, exploit other users and make content go viral.
“Reddit is notoriously easy for attackers to manipulate — they don’t require an email to open an account; the signup form only uses basic reCAPTCHA, which has been ineffective for years; and the login form does not appear to use any automation prevention techniques to protect against credential stuffing attacks,” he added.
“Sites like Reddit are a dream for attackers, there are virtually no barriers to entry and the value of trusted accounts on social networks is so high.”