The following is in relation to a security incident yesterday (1st August 2021) that involved unauthorized access to at least 4 members accounts by a malicious 3rd party. The accounts had their passwords changed, and were then used to post unsavory content before it was locked down.
After an internal security audit, we have ascertained that the accounts were compromised as they used similar credentials (username:password combination) at Reddit.com, which suffered a breach 8 months ago.
We have also traced around 20 other accounts (which also appear on Reddit with a similar username) which were attacked in a similar way - but did not result in a breach, possibly due to different passwords/credentials being used.
As compromised passwords and data breaches are quite rampant, over the next few days, we will be upgrading our system to include a compromised password notification powered by Have I Been Pawned (https://haveibeenpwned.com/Passwords). Should your current password exist in the breach database (there are now over 600 million compromised passwords on HIBP), you will receive an email informing you about this and recommending you to change your password. As your passwords are stored in a one way hash in our database, this check will only be done at your next login once this feature is implemented.
Account Security - Use of compromised passwords