More user password resets to come, Reddit co-founder says

May 27, 2016 23:35 GMT  ·  By

Reddit co-founder Christopher Slowe announced yesterday that his company had to take precautionary measures and ask 100,000 users to reset their passwords after its security team detected a growing number of account hijackings.

Slowe blames this on the recent wave of data breaches, such as the massive LinkedIn 2012 incident, only recently discovered in full, which, at the time of writing his post, was the biggest data breach ever, with 167 million leaked records. The MySpace data breach announced only a few hours ago has now taken the crown, with 427 million leaked user details.

Public data breaches weaken password policies across all sites

The Reddit co-founder points out that this data and the large number of passwords now available out in the open have allowed attackers to create a database of leaked passwords.

Since many users share their passwords across platforms, attackers take a corresponding Reddit username and search their databases. If they find a match, they take the account's password and try it on Reddit.

Something like this has been at the core of a recent Reddit thread defacing incident, where a hacker was taking over moderator accounts and altering the UI of Reddit topics.

More Reddit account password resets to come

"We've ramped up our ability to detect the takeovers, and sent out 100k password resets in the last 2 weeks," Slowe wrote. "More are to come as we continue to verify and validate that no one except for you is using your account."

Before's Reddit's announcement, Microsoft also learned a crucial lesson from the LinkedIn hack, and this week, it announced that it started banning simple passwords from its service.

Further, Slowe also raises the alarm about abandoned accounts, which he describes as "dry kindling" since there's nobody to prevent or detect misuse in their cases.

As for two-factor authentication, the Reddit co-founder revealed that the service already features such a function, but it's only active for site admins. He said that, for something like this to be rolled out to users, a lot of consideration and coordination are needed because of the huge app ecosystem Reddit is at the center of.

Nevertheless, the company is not afraid to make bold moves, having only recently changed its default image upload handler from Imgur to a custom, in-house solution.