Reddit 2019 Account Lockouts and Forced Resets Over Credential Stuffing
January 2019
In January 2019 Reddit locked a large group of accounts after detecting unusual activity it attributed to credential stuffing, forcing affected users to reset passwords. Some users disputed the explanation, suspecting a direct compromise.
What happened
On January 10, 2019, Reddit locked out a large batch of accounts after its security team flagged anomalous sign-in activity. A Reddit admin attributed the lockouts to credential stuffing — attackers replaying passwords leaked from other breaches against accounts where users had chosen weak passwords or reused credentials across sites. Affected users were required to reset their passwords through account notifications or support tickets before access was restored.
The response drew skepticism from a portion of the affected user base. Some users argued that their Reddit passwords were unique and strong, and therefore should not have been vulnerable to credential stuffing, raising the possibility of a more direct compromise. Reporting at the time noted that no definitive public evidence settled whether the wave was purely credential stuffing or involved another vector, and the incident landed roughly five months after Reddit's confirmed August 2018 breach, which heightened user wariness.
The episode is a documented instance of Reddit using mass forced password resets as an account-takeover mitigation, and of the trust friction that arises when a platform attributes lockouts to user password hygiene without disclosing detailed evidence.
Impact
A large but unspecified number of accounts were locked and forced to reset passwords, disrupting access. The incident generated user distrust because Reddit's credential-stuffing explanation could not be independently verified and some users with strong, unique passwords reported being affected.