TL;DR (this is a lengthy post, but stay with us until the end: as a lawyer, I am not allowed to be brief):
We are, unfortunately, seeing more and more commercial entities collecting public data, including Reddit content, in bulk with no regard for user rights or privacy. We believe in preserving public access to Reddit content, but in distributing Reddit content, we need to work with trusted partners that will agree in writing to reasonable protections for redditors. They should respect user decisions to delete their content as well as anything Reddit removes for violating our Content Policy, and they cannot abuse their access by using Reddit content to identify or surveil users.
In line with this, and to be more transparent about how we protect data on Reddit, today we published our, which outlines how we manage access to public content on our platform at scale.
At the same time, we continue to believe in supporting public access to Reddit content for researchers and those who believe in responsible non-commercial use of public data. This is why we’re building new tools for researchers and introducing a new subreddit, . Our goal is for this sub to evolve into a place to better support researchers and academics and improve their access to Reddit data.
Hi, redditors - I’m , Reddit’s Chief Legal Officer, and today I’m sharing more about how we protect content on Reddit.
Our Public Content Policy
Reddit is an inherently public platform, and we want to keep it that way. Although we’ve shared our POV , we’re publishing this policy to give you all (whether you are a redditor, moderator, researcher, or developer) a better sense of how we think about access to public content and the protections that should exist for users against misuse of public content.
This is distinct from our , which covers how we handle the minimal private/personal information users provide to us (such as email). It’s not our , which sets out our rules for what content and behavior is allowed on the platform.
What we consider public content on Reddit
Public content includes all of the content – like posts and comments, usernames and profiles, public karma scores, etc. (for a longer list, you can check out our public API) – that Reddit distributes and makes publicly available to redditors, visitors who use the service, and developers, e.g. to be extra clear, it doesn’t include stuff we don’t make public, such as private messages or mod mail, or non-public account information, such as email address, browsing history, IP address, etc. (this is stuff we don’t and would never license or distribute, because we believe).
Preventing the misuse and abuse of public content
Unfortunately, we see more and more commercial entities using unauthorized access or misusing authorized access to collect public data in bulk, including Reddit public content. Worse, these entities perceive they have no limitation on their usage of that data, and they do so with no regard for user rights or privacy, ignoring reasonable legal, safety, and user removal requests. While we will continue our efforts to block known bad actors, we can’t continue to assume good intentions. We need to do more to restrict access to Reddit public content at scale to trusted actors who have agreed to abide by our policies. But we also need to continue to ensure that users, mods, researchers, and other good-faith, non-commercial actors have access.
The policy, at-a-glance
Our policy outlines the information partners can access via any public-content licensing agreements. It also outlines the commitments we make to users about usage of this content, explaining how:
We require our partners to uphold the privacy of redditors and their communities. This includes respecting users’ decisions to delete their content and any content we remove for violating our Content Policy.
Partners are not allowed to use content to identify individuals or their personal information, including for ad targeting purposes.
Partners cannot use Reddit content to spam or harass redditors.
Partners are not allowed to use Reddit content to conduct background checks, facial recognition, government surveillance, or help law enforcement do any of the above.
Partners cannot access public content that includes adult media.
And, as always, we don’t sell the personal information of redditors.
What’s a policy without enforcement?
Anyone accessing Reddit content must abide by our policies, and we are selective about who we work with and trust with large-scale access to Reddit content. We will block access to those that don’t agree to our policies, and we will continue to enhance our capabilities to hunt down and catch bad actors. We don’t want to but, if necessary, we’ll also take legal action.
What changes for me as a user?
Nothing changes for redditors. You can continue using Reddit logged in, logged out, on mobile, etc.
What do users get out of these agreements?
Users get protections against misuse of public content. Also, commercial agreements allow us to invest more in making Reddit better as a platform and product.
Who can access public content on Reddit?
In addition to those we have agreements with, Reddit Data API access remains free for non-commercial researchers and academics under our published usage threshold. It also remains accessible for organizations like the Internet Archive.
Reddit for Research
It’s important to us that we continue to preserve public for researchers and those who believe in responsible non-commercial use of public data. We believe in and recognize the value that public Reddit content provides to researchers and academics. Academics contribute meaningful and important research that helps shape our understanding of how people interact online. To continue studying the impacts of how behavioral patterns evolve online, access to public data is essential.
That’s why we’re building tools and an environment to help researchers access Reddit content. If you're an academic or researcher, and interested in learning more, head over to and check out ’s first post.
Thank you to the users and mods who gave us feedback in developing this Public Content Policy, including u/abrownn, , , , , , , , , , and , among others.
Hey all! Today we wanted to take a moment to how you can verify if a message, comment, or post is truly from a Reddit employee or Reddit Inc. As you can see by clicking on my profile all official Reddit accounts will have a or denoting admin accounts.
You'll also see those on official messages, comments, or posts from us. (like on this post)
If there is an email address attached to your username, you may also receive notices at that address from @reddit.com or @redditmail.com addresses.
Account security related notifications/messages are sent officially from our account only. We'll also never send you a chat message notifying you of a security related issue.
Finally, in the words of every gaming company anywhere, Reddit will never ask you for your password or 2FA codes. Please report any suspicious messages by clicking the "report" option below each suspicious message, post or comment, or by filling out a report using reddit.com/report directly.
Note: we're aware that this isn't currently visible if you're using the iOS app, we're working on a fix - in the meantime, if you're ever unsure please view the profile from the desktop version of the site.
TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
What Happened?
On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).
Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.
How Did We Respond?
Soon after being phished, the affected employee self-reported, and the Security team responded quickly, removing the infiltrator’s access and commencing an internal investigation. Similar phishing attacks have been recently reported. We’re continuing to investigate and monitor the situation closely and working with our employees to fortify our security skills. As we all know, the human is often the of the security chain.
Our goal is to fully understand and prevent future incidents of this nature, and we will use this post to provide any additional updates as we learn and can share more. So far, it also appears that many of the five years ago have continued to be useful.
User Account Protection
Since we’re talking about security and safety, this is a good time to remind you how to protect your Reddit account. The most important (and simple) measure you can take is to set up 2FA (two-factor authentication) which adds an extra layer of security when you access your Reddit account. Learn in Reddit Help. And if you want to take it a step further, it’s always a good idea to update your password every couple of months – just make sure it’s strong and unique for greater protection.
Also: use a password manager! Besides providing great complicated passwords, they provide an extra layer of security by warning you before you use your password on a phishing site… because the domains won’t match!
…AMA!
The team and I will stick around for the next few hours to try to answer questions. Since our investigation is still ongoing and this is about our security practices, we can’t necessarily answer everything in great detail, but we’ll do our best to live up to here.