News from reddit about site security
r/redditsecurity
Hi all, I’m u/outersunset, and I’m here to share that Reddit has released our full-year Transparency Report for 2022. Alongside this, we’ve also just launched a new online Transparency Center, which serves as a central source for Reddit safety, security, and policy information. Our goal is that the Transparency Center will make it easier for users - as well as other interested parties, like policymakers and the media - to find information about how we moderate content, deal with complex things like legal requests, and keep our platform safe for all kinds of people and interests.
And now, our 2022 Transparency Report: as many of you know, we publish these reports on a regular basis to share insights and metrics about content removed from Reddit – including content proactively removed as a result of automated tooling - as well as accounts suspended, and legal requests from governments, law enforcement agencies, and third parties to remove content or lawfully obtain private user data.
Reddit’s Biggest Content Creation Year Yet
Content Creation: This year, our report shows that there was a lot of content on Reddit. 2022 was the biggest year of content creation on Reddit to date, with users creating an eye-popping 8.3 billion posts, comments, chats, and private messages on our platform (you can relive some of the beautiful mess that was 2022 via our Reddit Recap).
Content Policy Compliance: Importantly, the overwhelming majority – over 96% – of Reddit content in 2022 complied with our Content Policy and individual community rules. This is a slight increase from last year’s 95%. The remaining 4% of content in 2022 was removed by moderators or admins, with the overwhelming majority of admin removals (nearly 80%) being due to spam, such as karma farming.
Other key highlights from this year include:
Content & Subreddit Removals: Consistent with previous years, there were increased content and subreddit removals across most policy categories. Based on the data as a whole, we believe this is largely due to our evolving policies and continuous enforcement improvements. We’re always looking for ways to make our platform a healthy place for all types of people and interests, and this year’s data demonstrates that we’re continuing to improve over time.
We’d also like to give a special shoutout to the moderators of Reddit, who accounted for 58% of all content removed in 2022. This was an increase of 4.7% compared to 2021, and roughly 69% of these were a result of proactive Automod removals. Building out simpler, better, and faster mod tooling is a priority for us, so watch for more updates there from us.
Global Legal Requests: We saw increased volumes across nearly all types of global legal requests. This is in line with industry trends.
This includes year-over-year increases of 43% in copyright notices, 51% in legal removal requests submitted by government and law enforcement agencies, 61% in legal requests for account information from government and law enforcement agencies, and 95% in trademark notices.
You can read more insights in the full-year 2022 Transparency Report here.
Starting later this year, we’ll be shifting to publishing this full report - with both legal requests and content moderation data - on a biannual cadence (our first mid-year Transparency Report focused only on legal requests). So expect to see us back with the next report later in 2023!
Happy Women’s history month everyone. It's been a busy start to the year. Last month, we fielded a security incident that had a lot of snoo hands on deck. We’re happy to report there are no updates at this time from our initial assessment and we’re undergoing a third-party review to identify process improvements. You can read the detailed post on the incident by u/keysersosa from last month. Thank you all for your thoughtful comments and questions, and to the team for their quick response.
Up next: The Numbers:
| Category | Volume (Jul - Sep 2022) | Volume (Oct - Dec 2022) |
|---|---|---|
| Reports for content manipulation | 8,037,748 | 7,924,798 |
| Admin removals for content manipulation | 74,370,441 | 79,380,270 |
| Admin-imposed account sanctions for content manipulation | 9,526,202 | 14,772,625 |
| Admin-imposed subreddit sanctions for content manipulation | 78,798 | 59,498 |
| Protective account security actions | 1,714,808 | 1,271,742 |
| Reports for ban evasion | 22,813 | 16,929 |
| Admin-imposed account sanctions for ban evasion | 205,311 | 198,575 |
| Reports for abuse | 2,633,124 | 2,506,719 |
| Admin-imposed account sanctions for abuse | 433,182 | 398,938 |
| Admin-imposed subreddit sanctions for abuse | 2,049 | 1,202 |
TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).
Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.
Soon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator’s access and commencing an internal investigation. Similar phishing attacks have been recently reported. We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the weakest part of the security chain.
Our goal is to fully understand and prevent future incidents of this nature, and we will use this post to provide any additional updates as we learn and can share more. So far, it also appears that many of the lessons we learned five years ago have continued to be useful.
Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account. The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account. Learn how to enable 2FA in Reddit Help. And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.
2
Hi all,
We wanted to let you know that Reddit is now available as an “onion service” on Tor at the address:
https://www.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion
As some of you likely know, an onion service enables users to browse the internet anonymously. Tor is a free and open-source software that enables this kind of anonymous communication and browsing. It’s an important tool frequently used by journalists, human rights activists, and others who face threats of surveillance or censorship. Reddit has always been accessible via Tor, but with the launch of our official onion service, we’re able to improve the user experience when browsing Reddit on Tor: quicker loading times for the site, shorter network hops through Tor network and eliminating opportunities for Reddit being blocked or someone maliciously monitoring your traffic, and a cryptographic assurance that your connection is direct to reddit.com.
The goal with our onion service is to provide access to most of the site’s functionality at minimum this will include our standard post/comment functionality. While some functionality won’t work with Javascript disabled, core browsing should work. If you happen to find something broken, feel free to report it over at r/bugs and we’ll look into it.
A huge thank you to the work of Alec Muffett (@AlecMuffett) and all the predecessors who helped build the Enterprise Onion Toolkit, which this launch is largely based on. We’ll be open sourcing our Kubernetes deployment pattern and helping modernize the existing codebase and sharing our signal enhancements to help spot and block abuse against our new onion service.
For more information about the Tor network please visit https://www.torproject.org/.
Edit: There's of course an old reddit flavor at https://old.reddittorjg6rue252oqsxryoxengawnmo46qy4kyii5wtqnwfj4ooad.onion.
Hi reddit peoples!
You may remember me from a few weeks ago when I gave an update on user blocking. Thank you to everyone who gave feedback about what is and isn’t working about blocking. The stories and examples many of you shared helped identify a few ways blocking should be improved. Today, based on your feedback, we’re happy to share three new updates to blocking. Let’s get to it…
Update #1: Preventing people from using blocking to shut down conversations
In January, we changed the tool so that when you block someone, they can’t see or respond to any of your comment threads. We designed blocking to prevent harassment, but we see that we have also opened up a way for users to shut down conversations.
Today we’re shipping a change so that users aren’t locked out of an entire comment thread when a user blocks them, and can reply to some embedded replies (i.e., the replies to your replies). We want to find the right balance between protecting redditors from being harassed while keeping conversations open. We’ll be testing a range of values, from the 2nd to 15th-level reply, for how far a thread continues before a blocked user can participate. We’ll be monitoring how this change affects conversations as we determine how far to turn this ‘knob’ and exploring other possible approaches. Thank you for helping us get this right.
Update #2: Fixing bugs
We have fixed two notable bugs:
When you block someone in the same thread as you, your comments are now always visible in your profile.
Blocking on old Reddit works the same way as it does on the rest of the platform now. We fixed an issue on old Reddit that was causing the block experience to sometimes revert back to the old version, and other times it would be a mix of the new and the old experience.
If you see any bugs, please keep reporting them! Your feedback helps keep reddit a great place for everyone to share, discuss, and debate — (What kind of world would we live in if we couldn’t debate the worst concert to go to if band names were literal?)
Update #3: People want more controls over their experience
About Community
Members
Online
Info
/r/redditsecurity is a running log of actions taken to ensure the safety and security of reddit.com
See /r/reddit and /r/modnews for other important news about the site
To report content policy violations to the admins, please use this form
If you think you've located a significant security concern, send it to security@reddit.com
Check out /r/ModSupport for information related to subreddit moderation
This is an admin-sponsored subreddit.