Many Reddit users found themselves locked out of their accounts yesterday (Jan. 10) due to a "security concern." Even worse, some users were erroneously told that their accounts had been suspended. All affected Reddit affected will have to change their account passwords.
Reddit admin Sporkicide told users that "a large group of accounts" had been locked down due to "unusual activity that did not correspond to the account's normal behavior [and] may indicate unauthorized access."
Sporkicide described what appeared to be a credential-stuffing attack. In other words, someone was trying to log into a batch of Reddit accounts using email addresses and passwords stolen from other sites' data breaches.
Credential-stuffing attacks are possible only because so many people reuse passwords across multiple accounts. If you use a unique password for every website — something made easiest by a password manager — then you won't have this problem.
Anyone whose Reddit account was affected will be allowed to log back in using their old password, but will then be prompted to change it. If Reddit has your email address (it's not required), you'll also be notified via email.
"Please, please, please make sure you choose strong passwords that are unique to Reddit," Sporkicide wrote, adding a suggestion that Reddit users enable two-factor authentication (2FA) to further strengthen their accounts.
In a separate post, Sporkicide revealed that some users who were locked out mistakenly received suspension notices, which should be ignored.
Reddit suffered a data breach of its own in mid-2018 when crooks intercepted the 2FA verification code sent to a Reddit administrator's smartphone, possibly as a result of SIM hijacking or unauthorized call forwarding. Fortunately, the 2FA protocol available to Reddit users is much safer because it requires an authentication app like Google Authenticator.