The accounts of some Reddit users have been locked or suspended due to improper behavior that might suggest unauthorized access. The Reddit security team said it plans to allow affected users to reset the password in a few hours.
The alleged cause of unusual activity observed from locked accounts is an attack by fingerprint identification, which takes advantage of the practice of users to reuse the same login password for multiple websites and online services.
The recycling of identification information is a dangerous habit, as it offers a hacker the opportunity to test the username / password stolen from other services. If they work, the attacker gets access to other accounts with a minimum of effort.
Unauthorized access identified in some cases
Some users are not convinced that an identification information jam attack is a possible explanation for the precautionary measure, claiming that their Reddit credentials were unique and sufficiently robust.
One member suggested to "check if there were data / security reddit leaks instead of being limited to user errors". Another suggested a large scale diversion scenario, similar to what happened recently to 50 million Facebook accounts due to a vulnerability that allowed theft of access tokens. .
However, several users reported that the activity log of their account indicated that it had been accessed from different countries (Italy, Brazil, Russia, Bangladesh, Thailand). One of them admitted to having a simple password.
Users are slowly regaining access to their accounts
It's unclear how many accounts have been locked, but in a message published a few hours ago, Reddit admin Sporkicide refers to "a large group of accounts."
Reddit is currently working on establishing normal access conditions. Affected users with an email address associated with the Reddit account should be notified to reset their password.
However, access to Reddit is possible without an e-mail address and Sporkicide indicates that users in this category should try the login page until they can access it again. This does not mean, however, that you must constantly refresh the page until access is allowed.
Another way to receive notification is to add an email address to a support ticket you sent.
One user reported receiving the password notification below after initially receiving a note informing him that his account had been suspended permanently for violation of the rules. He claims that he has done nothing wrong to obtain the suspension.
"You may receive your opinion a little while, but be patient. There is no need to create additional support tickets or send messages to administrators at the moment, "says Sporkicide.
At the moment, some users have access to their Reddit account again, but others are still waiting for the password reset notification.
Sporkicide prompts users to choose strong and unique passwords and encourages the addition of a valid email address to the account and the activation of protection to two-factor authentication (2FA ).
The Reddit security team recommends at least 12 characters for the password or, better yet, a short sentence.