Reddit is enforcing the reset of 100,000 user accounts in the wake of a stream of hacked accounts.
"general uptick" in account hijacking and takeovers, mainly by
malicious -- and spam-based -- third-parties has prompted the move,
according to the forum.
In a blog post this week, Reddit said that the increased rate of account takeovers comes on the heels of recent password dumps, such as the LinkedIn data breach which led to the release of data belonging to millions of users.
itself has not been compromised. Rather, password dumps, weak password
choice and reusing the same account credentials for different sites are
contributing to the problem.
"We've ramped up our ability to
detect the takeovers, and sent out 100k password resets in the last 2
weeks," Reddit says. "More are to come as we continue to verify and
validate that no one except for you is using your account."
engineer "KeyserSosa", otherwise known as Christopher Slowe, advised
users who receive the reset request to choose a strong, unique password
and use one set of credentials for the forum alone.
recommends that users set and verify an email address. While email
addresses are not required, if your account is taken over, the email
address can be used to reset your account.
In addition, the engineer noted that users can check their account activity page
to keep an eye out for strange activity, such as odd locations for
logging in -- which may mean the account has been compromised.
In order to reduce the surface area for potential
attacks, Reddit is also planning to tackle the problem of throwaway
accounts. While these types of accounts are fine in themselves, Reddit
has "tons" of abandoned accounts which have never posted, voted and have
not been logged into for several years.
These throwaway accounts
will also be subject to the password reset spree. However, if these
accounts are not logged into within a month, they are going to be
"If ATOs [account takeovers] are a brush fire, abandoned, unused accounts are dry kindling," Slowe said.
engineer also revealed that Reddit is considering enabling two-factor
authentication in the future for accounts below the administration
level, but integration issues with apps and different clients pose a
This is the second notable security incident to hit the website in recent weeks. In May, a "bored" hacker took over a number of subreddits on the forum, defacing them and stealing data -- just for fun.