Security & Data Breaches

By July 2024 Reddit's robots.txt changes had blocked Bing, DuckDuckGo, Mojeek, Qwant and other engines from indexing recent Reddit content, while Google retained access under a reported $60 million annual AI-data deal — making Google effectively the only search engine able to surface fresh Reddit results.

On February 5, 2023, a targeted phishing attack stole an employee's credentials and 2FA token, giving intruders access to internal documents, dashboards, source code, and employee and advertiser data. In June 2023 the BlackCat/ALPHV ransomware group publicly claimed it had taken roughly 80GB of data and demanded a $4.5 million ransom.

In 2023 Reddit terminated Pushshift's bulk data access as part of its paid-API crackdown, breaking the historical archive that powered research and the tools (Reveddit, Removeddit, Unddit) used to view deleted or removed content — reshaping who controls retained Reddit data.

In January 2019 Reddit locked a large group of accounts after detecting unusual activity it attributed to credential stuffing, forcing affected users to reset passwords. Some users disputed the explanation, suspecting a direct compromise.

Between June 14–18, 2018, an attacker intercepted SMS-based two-factor authentication codes for several Reddit employees and used the access to download a complete 2007 site backup containing early users' usernames, salted-and-hashed passwords, email addresses, and all of their public and private content.

Federal prosecutors convicted four men — Ryan Collins, Edward Majerczyk, George Garofano and Emilio Herrera — for phishing schemes that compromised celebrities' iCloud and Gmail accounts; the stolen nude photos were mass-distributed on Reddit's r/TheFappening in 2014.

In May 2016, after the 2012 LinkedIn breach was revealed to have exposed roughly 117 million credentials, Reddit detected a surge in account takeovers driven by password reuse and forced password resets on about 100,000 accounts.