Loading…
Search issues, trackers, people, glossary, and more
Tracker
Documented breaches and security incidents affecting Reddit and its users — the attack vector, what data was exposed, who was behind it, and when it was disclosed.
15 of 15 incidents
| Vector | Severity | Records | Source | ||
|---|---|---|---|---|---|
| Session-Cookie Theft and Infostealer Malware Enable 2FA-Bypassing Account Takeovers | credential-stuffing | moderate | — | 2025 | |
| Fake-Moderator Phishing: Account-Takeover Scams Impersonating Reddit Staff | phishing | moderate | — | 2024 | |
| Hijacked High-Follower Accounts Used for Crypto 'Giveaway' Scams | phishing | moderate | — | 2024 | |
| 2023 BlackCat/ALPHV Extortion: $4.5M Demand and Threat to Leak 80GB Tied to API Pricing | phishing | high | Up to 80GB (compressed) of data claimed stolen in the February 2023 breach | 2023 | |
| 2023 Breach: Employee Spear-Phishing Exposes Source Code and Internal Documents | phishing | high | Limited contact details for hundreds of current and former employees; limited advertiser information | 2023 | |
| 2023 Breach Lesson: Real-Time Phishing Proxies Defeat Standard MFA | phishing | high | — | 2023 | |
| August 2020 Coordinated Pro-Trump Defacement via Hijacked Moderator Accounts | credential-stuffing | moderate | More than 50 subreddits defaced through compromised moderator accounts | 2020 | |
| January 2019 Account Lockouts and Forced Resets Over Credential Stuffing | credential-stuffing | moderate | A large group of accounts locked and forced to reset passwords (count not disclosed) | 2019 | |
| Rising Government Data Requests and Pressure to Unmask Anonymous Users | other | low | 752 government data requests in 2018, up from 310 in 2017 and 55 in 2014 | 2019 | |
| 2018 Breach: Attacker Bypasses Employees' SMS-Based 2FA and Steals a 2007 Database Backup | sms-2fa | high | All accounts created from Reddit's 2005 launch through May 2007, plus email-digest recipients from June 2018 | 2018 | |
| 2018 Breach Fallout: Early-User Email Exposure and Deanonymization Risk | sms-2fa | moderate | Early adopters (2005-2007) and June 2018 email-digest recipients | 2018 | |
| 2018 Email-Digest Log Exposure Linked Current Usernames to Email Addresses | sms-2fa | moderate | Recipients of Reddit email digests sent June 3 and June 17, 2018 | 2018 | |
| 2016 Mass Password Reset After a Credential-Stuffing Surge | credential-stuffing | moderate | About 100,000 accounts locked and forced to reset passwords | 2016 | |
| 2016 Warrant Canary Disappears, Signaling a Likely Secret Government Request | other | moderate | — | 2016 | |
| May 2016 Defacement of 70+ Subreddits via Hijacked Moderator Accounts (TehBVM) | credential-stuffing | moderate | More than 70 subreddits defaced through compromised moderator accounts | 2016 |