New Account Takeover on Reddit
Reddit accounts with significant karma or established reputations in valuable communities are targeted for credential stuffing and phishing takeovers, then used to spread scam links, manipulate votes, or harvest community trust.
Part of: New Account Takeover
Last reviewed: 1 June 2026
A Reddit account's value is defined by its karma score and posting history — indicators of trustworthiness that other users use to evaluate the credibility of content and advice. Fraudsters who take over high-karma accounts can immediately post scam content to subreddits where the account's history provides a veneer of authenticity.
Account takeover on Reddit exploits both credential reuse and phishing, and has become more systematised as the value of old accounts for marketing manipulation, scam propagation, and community infiltration has grown.
How this scam works on Reddit
Automated credential stuffing tools test leaked username and password combinations against Reddit's authentication system. High-karma accounts whose credentials match a leaked pair are identified and flagged for manual review by the attacker, who then uses them in specific subreddits where the account's history is relevant.
Phishing attacks targeting Reddit accounts often arrive via email — fake notifications about comment replies, account alerts, or moderation actions that link to a convincing Reddit login page. Entering credentials on this page transfers them to the attacker.
Compromised accounts are used to post affiliate links, pyramid scheme promotions, or crypto scams in communities where the account's established reputation would normally prompt moderation removal. Some operators use Reddit accounts as part of astroturfing campaigns, manufacturing consensus around products or narratives.
Common red flags
- Email notification about Reddit activity that directs you to a login page outside reddit.com
- Unexpected login alert from Reddit for an unrecognised device or location
- Reddit messages sent from your account that you did not write
- Votes, follows, or moderator actions associated with your account that you did not initiate
- Reddit email notification of a password or email change you did not make
How to protect yourself
- Enable Reddit two-factor authentication in User Settings > Security
- Use a unique, strong password for Reddit not shared with any other service
- Check Reddit's active sessions list in security settings and terminate any you do not recognise
- Check breach notification services for your Reddit-linked email and update any compromised passwords
- Be sceptical of any email about your Reddit account that links to an external login page
- Enable email verification for new Reddit sessions to receive alerts for unfamiliar device logins
How to report it
- Report the suspicious activity to Reddit through the official Help Centre contact form
- File a complaint with your national cybercrime unit if the compromised account was used to perpetrate financial fraud
- Alert the moderators of communities where the compromised account was used to spread scam content
Frequently asked questions
Why would a fraudster want to take over a Reddit account with high karma?
High-karma accounts are less likely to be automatically filtered by subreddit spam controls. They can post in communities that restrict new accounts, and their established comment history creates an impression of trustworthiness that makes scam content harder to dismiss on sight. Old accounts with relevant posting histories in financial or investment subreddits are particularly valuable.