Reddit itself was not exploited, but recent password dumps caused an uptick in account takeovers on the site.
Reddit has sent out 100,000 password resets in the last two weeks amid a boost in account takeovers by “malicious (or at best spammy) third parties.”
The site clarified that Reddit itself has not been exploited, and suggested that the recent LinkedIn password dump was partly to blame for the uptick in account takeovers.
The revelation comes after the login credentials for 117 million LinkedIn accounts, stolen in a 2012 data breach, were posted for sale on a dark web marketplace last week.
The haul — priced at five bitcoins, or around $2,300 — includes email addresses and easily crackable passwords.
“Even the best security in the world won’t work when users are reusing passwords between sites,” Reddit Engineer Christopher Slowe wrote in a post on the site.
Slowe urged users to create a strong, unique Reddit password — emphasis on the word unique.
“I don’t mean ‘use that really good password you use on sites you care about,'” he wrote. “I mean ‘one that is used for Reddit and Reddit alone!”‘
He also recommended that users set and verify an email address.
It’s not required on Reddit, but, as Slowe pointed out, the site currently has just one way for users to reset their accounts: by email.
Finally, Reddit users should check their own account activity page for suspicious activity.
If you see IPs you don’t recognize, especially from countries you don’t spend much time in, be sure to change your password.
Meanwhile, Reddit is also looking to weed out “abandoned accounts with no discernible history” that exist as placeholders in its database, Slowe wrote.
The company plans to soon start issuing password resets to these accounts; if it doesn’t get a reaction in about a month, it will disable them.