In an announcement issued on Thursday, Reddit has revealed that it has sent out 100,000 password reset notices to its users in the past 2 weeks.
Over 100,000 Reddit users have been asked to reset their passwords by the website which cited a surge in password dumps due to data breaches in recent times. An announcement revealed that the website had noticed a general swell of account takeovers (ATOs) by “malicious (or at best spammy) third parties.
Reddit added that while the website itself had not been exploited in any way, any probability of users reusing passwords would mean lax security protocols. With this in mind, the security pros at Reddit have “ramped up” their ability to detect account takeovers.
The password dumps referred to by the website include the LinkedIn breach, which totaled 117 million compromised passwords. The other hacking incident cited was the hundreds of millions of email credentials that fundamentally given away by a Russian hacker in exchange for social media fame. LIFARS has reported on the two incidents here and here.
Among the FAQs, the announcement also adds that Reddit is considering two-factor authentication (2FA). The post revealed that admins are already required to use 2FA security to use the administrative parts of the website.
The post then revealed the reason why the website hasn’t already enabled 2FA to user accounts:
Unfortunately, to roll this out further, reddit has a huge ecosystem of apps, including our newly released iOS andandroid clients, to say nothing of integrations like with ifttt.com and that script you wrote as a school project that you forgot to shut off. “Adding 2FA to the login flow” will require a lot of coordination.
Additionally, Reddit recommends users choose a unique and strong password that is exclusive for Reddit alone, rightly claiming that “password reuse is really bad.”
“We care a lot about security, but we can’t do anything about the security of that other site you use the same password [on],” the announcement added.
Image credit: Pixabay.
