Some Reddit users discovered they were locked out of their own accounts earlier this week after an apparent credential stuffing attack compelled the popular website to invoke password security measures.
An admin post published on Reddit’s Help subreddit this past Wednesday advises users that a “large group of accounts were locked down” due to anomalous activity suggesting unauthorized access. Consequently, affected users were informed they would have to rest their passwords to regain access.
In a credential stuffing attack, malicious actors attempt to use passwords previously stolen from one source to illegally access other, unrelated websites and online services, in hopes that the user entered the same credentials.
The Reddit admin, Sporkicide, implored users who were resetting their credentials to choose strong, unique passwords and employ two-factor authentication.
According to security expert Graham Cluley via the Tripwire blog, Reddit experienced complications while responding to the threat. For starters, Reddit misinformed certain users that their accounts were suspended when they were actually just locked out as a precaution. The website later corrected this mistake.