- Vector
- credential-stuffing
- Severity
- moderate
- Records exposed
- About 100,000 accounts locked and forced to reset passwords
- Data exposed
- No new Reddit breach; attackers attempted logins using credentials leaked from other sites
- Disclosed
- 2016-12-01
- Date
- 2016-12-01
What happened
In 2016 Reddit locked down a large group of accounts and forced password resets after detecting a credential-stuffing campaign in which attackers replayed username-and-password pairs stolen from unrelated breaches, including older leaks such as LinkedIn's. The activity was not a breach of Reddit's own systems; it exploited users who reused passwords across sites. Admins told affected users their accounts had been locked due to anomalous activity suggesting unauthorized access, and that they would have to reset their passwords to regain entry. Reddit initially told some users their accounts were 'suspended' before clarifying they were only locked as a precaution. The company urged users to choose unique passwords and enable two-factor authentication.