We are in the midst of multiple data breaches and passwords being dumped on the Dark Web, as more popular websites become victims to such incidents. It’s only good when a company decides to take things in their own hands and prevent their users’ accounts become exploited by malicious third parties. Reddit’s co-founder Christopher Slowe just made an announcement, revealing that the company had to ask 100,000 users to reset their passwords as a precautionary measure.
This is a part of Slowe’s statement, titled “Reddit, account security, and YOU!“:
Though Reddit itself has not been exploited, even the best security in the world won’t work when users are reusing passwords between sites. We’ve ramped up our ability to detect the takeovers, and sent out 100k password resets in the last 2 weeks. More are to come as we continue to verify and validate that no one except for you is using your account.
Data Breaches Are a General Security Problem, Endangering All Websites
Slowe’s announcent serves as a warning – users continue to use the same password across many platforms. Due to the large amount of passwords available on the Web, attackers can create databases of leaked passwords. Attackers can take a corresponding Reddit username and go through their databases. Once a match is found, the password from the account is tried on Reddit. This can happen with every single social media.
Reddit’s Recent Thread Defacing Incident
Perhaps Reddit only wants to make sure that it never becomes a victim of any hacking incident. In the beginning of May this year, the company was put through an aggressive defacement. A hacker was taking over random subreddits and removing moderators, while changing the subreddit’s CSS style and dropping a defacement message.
To prevent account hijacking from happening again, Reddit has now improved their ability to detect account takeovers, and have sent out 100 000 password resets in the last 2 weeks. More resets will take place, as the company continues to verify and validate accounts, Slowe explained.
Because of the magnitude of LinkedIn’s data breach, Microsoft is another company that took matters into their hands by banning simple passwords from their services.
Reddit to “Target” Abandoned Accounts
On a related point, a quick note about throw-aways: throw-away accounts are fine, but we have tons of completely abandoned accounts with no discernible history and exist as placeholders in our database. They’ve never posted. They’ve never voted. They haven’t logged in for several years. They are also a huge possible surface area for ATOs, because I generally don’t want to think about (though I do) how many of them have the password “hunter2”. Shortly, we’re going to start issuing password resets to these accounts and, if we don’t get a reaction in about a month, we’re going to disable them. Please keep an eye out!
In addition, Reddit offers two-factor authentication, but it’s only available to site admins. A universal implementation of 2FA within Reddit would require a careful consideration and coordination.