Locked Out of Your Reddit Account? Don't Panic
Many Reddit users were locked out of their accounts yesterday, and some might still be trying to get back in. Here's what you need to do.
Many Reddit users found themselves locked out of their accounts yesterday (Jan. 10) due to a "security concern." Even worse, some users were erroneously told that their accounts had been suspended. All affected Reddit affected will have to change their account passwords.
Reddit admin Sporkicide told users that "a large group of accounts" had been locked down due to "unusual activity that did not correspond to the account's normal behavior [and] may indicate unauthorized access."
Sporkicide described what appeared to be a credential-stuffing attack. In other words, someone was trying to log into a batch of Reddit accounts using email addresses and passwords stolen from other sites' data breaches.
MORE: How to Create Super-Secure Passwords
Credential-stuffing attacks are possible only because so many people reuse passwords across multiple accounts. If you use a unique password for every website — something made easiest by a password manager — then you won't have this problem.
Anyone whose Reddit account was affected will be allowed to log back in using their old password, but will then be prompted to change it. If Reddit has your email address (it's not required), you'll also be notified via email.
"Please, please, please make sure you choose strong passwords that are unique to Reddit," Sporkicide wrote, adding a suggestion that Reddit users enable two-factor authentication (2FA) to further strengthen their accounts.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
In a separate post, Sporkicide revealed that some users who were locked out mistakenly received suspension notices, which should be ignored.
Reddit suffered a data breach of its own in mid-2018 when crooks intercepted the 2FA verification code sent to a Reddit administrator's smartphone, possibly as a result of SIM hijacking or unauthorized call forwarding. Fortunately, the 2FA protocol available to Reddit users is much safer because it requires an authentication app like Google Authenticator.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.