Reddit in Lock Down After Possible Security Breach
A large group of Reddit users have been locked out of their accounts due to a ‘security concern’ with some having to change their passwords.
Lockouts and prompted password changes have signalled that popular social media platform Reddit has experienced an attack on its users’ accounts.
The company said it had locked down accounts due to suspicious activity on them, which could indicate unauthorised access.
Reddit admin ‘Sporkicide’ wrote in a blog post that the cause was most likely the users’ own fault, but that Reddit’s engineers were working to fix the issue.
“The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services.
“If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.”
In a credential stuffing attack, the hackers use software that injects the stolen credentials into another site to access accounts. According to Trend Micro, this form of attack is set to become more popular in 2019.
In a blog post notifying users of the incident, Reddit recommended that users use strong site specific passwords, and enable two-factor authentication.
Users Suspect Takeover the Result of Session Hijacking
However, some users refuted this saying that they used strong, site specific credentials for Reddit. Commentators on the blog suggested that the takeover could be the result of session hijacking similar to the attack that led to the theft of access tokens for 30 million Facebook accounts last year.
Jarrod Overson, director of engineering at Shape Security, commented: “Reddit is notoriously easy for attackers to manipulate — they don’t require an email to open an account; the signup form only uses basic reCAPTCHA, which has been ineffective for years; and the login form does not appear to use any automation prevention techniques to protect against credential stuffing attacks.
“Sites like Reddit are a dream for attackers. There are virtually no barriers to entry and the value of trusted accounts on social networks is so high.”
Reddit is still working on resolving the issue but has apologised to its users, saying: “We’re sorry for the unpleasant surprise and are working to get you all back to redditing as usual.”