A large number of Reddit users are being told that they will have to reset their passwords in order to regain access to their accounts following what the site is calling a “security concern.”

The lockout occurred as Reddit’s security team investigates what appears to have been an attempt to log into many users’ accounts through a credential-stuffing attack.

In a post on Reddit’s Help subreddit, admin Sporkicide explained that the site had detected unusual behavior suggestive of a hacker gaining control to users’ accounts.

The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.

Credential-stuffing attacks see hackers using stolen passwords from other data breaches to launch automated systems against sites in an attempt to compromise accounts. Such attacks take advantage of the fact that so many internet users persist in recycling passwords rather than choosing unique hard-to-crack passwords to defend their online accounts.

Most Reddit users first learned of the issue when some of them received emails from the site telling them that they should reset their passwords and ensure that they were not using the same password anywhere else online.

Unfortunately, according to Sporkicide, Reddit messed up some of its communications by incorrectly informing some affected users that their accounts had been suspended.

Some affected Reddit users may not even realize that there has been a “security concern.” For instance, although Reddit highly encourages users to have an email address associated with their accounts, it is not mandatory. For quite understandable reasons, Reddit is unable to email advice and warnings to users when it does not know their email addresses.

When you do eventually manage to recover access to your account, my advice is to choose a unique, strong, hard-to-guess password that you are not using anywhere else on the internet and to ensure that you have two-factor authentication (2FA) enabled.

Some Reddit users have responded to the announcement of the incident by declaring that they *were* using unique, complex passwords and saying that it doesn’t make any sense for them to have been locked out of the accounts. Some also point to the fact that they have 2FA enabled.

I’m not sure I agree with those Reddit users’ conclusion. Reddit may have taken action to lock accounts where it saw automated attempts to gain access, even if those attacks were not successful. In other words, your account may have been locked even if it wasn’t compromised.

If you are concerned that your account may have been accessed, then you can always check its activity log for unusual activity and details of the IP addresses, browsers and possible locations of those accessing the account.

For more information about Reddit’s 2FA feature, be sure to check out its support article.