Reddit 2016 Mass Password Reset After Credential-Stuffing Surge
May 2016
In May 2016, after the 2012 LinkedIn breach was revealed to have exposed roughly 117 million credentials, Reddit detected a surge in account takeovers driven by password reuse and forced password resets on about 100,000 accounts.
What happened
In late May 2016, Reddit founding engineer Christopher Slowe announced that the site had detected a 'general uptick' in account takeovers by malicious and spam-focused actors. Reddit attributed the surge not to a compromise of its own systems but to credential stuffing: attackers were taking username-and-password pairs leaked from other sites and replaying them against Reddit, exploiting users who reused the same credentials across services.
The timing coincided with the public expansion of the 2012 LinkedIn breach, which in May 2016 was revealed to have exposed roughly 117 million email-and-password combinations. Those credentials flooded criminal markets and powered credential-stuffing campaigns across many platforms. In response, Reddit improved its takeover-detection systems and prompted roughly 100,000 affected users to reset their passwords. Reddit also said it would disable long-dormant accounts and was weighing a broader rollout of two-factor authentication.
The incident came amid a string of subreddit takeovers and defacements earlier that month, prompting Reddit to tighten security more broadly. It is an early, well-documented example of how breaches at unrelated services cascade into account-takeover waves on Reddit because of widespread password reuse.
Impact
Around 100,000 Reddit accounts were force-reset; an unknown number had already been taken over and used for spam or abuse before detection. The episode illustrated Reddit's exposure to credential-stuffing fallout from third-party breaches such as the expanded 2012 LinkedIn leak.