Reddit having to change passwords because of data breach

May 27, 2016 |

The need to keep proper data security comes into focus when the stories about the need to notify users that passwords have been compromised and need to be reset.  LinkedIn has been through that particular nightmare recently while Reddit has been forced to reset 100,000 passwords as reported in  Reddit Forced to Reset 100,000 Passwords After ‘Uptick’ In Hacked Accounts.

Compromised passwords mean notifying users of the breach and means inconveniencing them with changing passwords.  It also means potential enquiry by regulators and possible litigation.  And of course, terrible publicity.  When the organisation is supposed to be cutting edge, such as Reddit the embarrassment and reputational damage can be acute.

The article provides:

After a flurry of hacked accounts, Reddit has been forced to reset the passwords of 100,000 users in two weeks.

The company announced it on Thursday, noting that this “general uptick” in account takeovers comes on the heels of large data breaches on other sites, such as the recent leak of more than 100 million LinkedIn emails and passwords.

“If you haven’t seen it in the news, there have been a lot of recent password dumps made available on the parts of the internet most of us generally avoid. With this access to likely username and password combinations, we’ve noticed a general uptick in account takeovers (ATOs) by malicious (or at best spammy) third parties,” Reddit’s founding engineer Christopher Slowe wrote under his moniker KeyserSosa. “Though Reddit itself has not been exploited, even the best security in the world won’t work when users are reusing passwords between sites.”

There will be more password resets “as we continue to verify and validate that no one except for you is using your account,” Slowe said, but he also advised users to choose strong and unique passwords, set an email address to be able to recover control of the account if it gets hacked, and check whether there’s some strange activity on their accounts.

Slowe also warned that throwaway accounts that have been inactive for years will get their passwords reset too, and if the owners don’t log in for a month after the rest, they’re going to get disabled.

“Throw-away accounts are fine, but we have tons of completely abandoned accounts with no discernible history and exist as placeholders in our database. They’ve never posted. They’ve never voted. They haven’t logged in for several years. They are also a huge possible surface area for [account takeovers], because I generally don’t want to think about (though I do) how many of them have the password ‘hunter2,’” he wrote, referring to an ancient internet meme, which was born when an IRC user was tricked into giving away his password.

This is the second large series of security incidents on Reddit recently. In early May, a “bored” hacker went on a hacking spree, taking over and defacing a bunch of random subreddits.

A Reddit spokesperson said that they have any “hunches or evidence” that this is connected to the LinkedIn password leak, and added that the company started tightening security after the series of hacks on subreddits earlier this month.



One Response to “Reddit having to change passwords because of data breach”

  1. Reddit | Australian Law Blogs

    […] Reddit […]

Leave a Reply

Verified by MonsterInsights