Reddit co-founder Christopher Slowe announced yesterday that his company had to take precautionary measures and ask 100,000 users to reset their passwords after its security team detected a growing number of account hijackings.
Slowe blames this on the recent wave of data breaches, such as the massive, only recently discovered in full, which at the time of his post was the biggest data breach to date with 167 million leaked records. The announced only a few hours ago has now taken the crown, with 427 million leaked user details.
Public data breaches weaken password policies across all sites
The Reddit co-founder points out that this data and the large number of passwords now available out in the open has allowed attackers to create a database of leaked passwords.
Since many users share their passwords across platforms, attackers take a corresponding Reddit username and search their databases. If they find a match, they take the account’s password and try it on Reddit.
Something like this has been at the core of a recent, where a hacker was taking over moderator accounts, and altering the UI of Reddit topics.
More Reddit account password resets to come
“We’ve ramped up our ability to detect the takeovers, and sent out 100k password resets in the last 2 weeks,” Slowe. “More are to come as we continue to verify and validate that no one except for you is using your account.”
Before’s Reddit’s announcement, Microsoft also learned a crucial lesson from the LinkedIn hack, and this week announced that it startedfrom its service.
Further, Slowe also raises the alarm for abandoned accounts, which he describes as “dry kindling” since there’s nobody to prevent or detect misuse in their cases.
As for two-factor authentication, the Reddit co-founder revealed that the service already features such a function, but it’s only active for site admins. He said that something like this to be rolled out to users needs a lot of consideration and coordination, because of the huge app ecosystem at which Reddit is at the center.
Nevertheless, the company is not afraid to make bold moves, only recently changing its default image upload handler from Imgur to a custom, in-house solution.