If Dailymotion Logged You Out, It's Possible That Your Password Was Breached During the Latest Attack

Dailymotion Suffers a Credential Stuffing Attack

Dailymotion, as you probably know, is the second largest website of its type after YouTube. It's nowhere near as big as Google's video sharing platform, but we're still talking about hundreds of millions of unique visits every month, so when Dailymotion announces that there's been a problem with some of the accounts, many people tend to listen. So far, we've seen two such occasions: one in 2016 and one last week.

The first breach happened in October 2016. Back then, a hacking group managed to infiltrate Dailymotion's backend and took off with about 85 million email addresses and around 18 million passwords. Back then, the good news was that the passwords had been hashed with bcrypt – an algorithm that makes brute-forcing the credentials practically impossible. In other words, the damage for the users, especially the ones that hadn't used any particularly bad passwords, was somewhat limited. What about last week's incident?

Hackers try to hijack users' Dailymotion accounts

On Friday, Dailymotion announced that it had been attacked again. This time, there's no information on the exact number of affected individuals. In fact, the information is rather scarce at this point. All Dailymotion shared with the media is that the attack was first spotted on January 19 and that mitigation measures were taken immediately. Users that might have been affected have been logged out, and their passwords have been reset. They should have an email notification that tells them what happened as well as a link that lets them regain control of their accounts. CNIL (France's Data Protection Authority) has also been informed and will need to decide whether Dailymotion should be penalized in accordance with EU's General Data Protection Regulation (GDPR). The people running the video sharing website think, however, that they've done nothing wrong.

According to Dailymotion, it was a credential stuffing attack

The press release is a bit ambiguous, but it does say that the attackers were either trying to guess the users' passwords or were using credentials stolen from other vendors. In other words, they reckon that they were most likely targeted by a credential stuffing attack.

Given the circumstances, this is as close to a silver lining as it gets as far as Dailymotion is concerned. For users, however, the news is far from good.

This is the latest in a long line of incidents that are reportedly the result of credential stuffing. In November, HSBC clients were forced to change their passwords after a similar attack, and a couple of weeks later, Iceland, a UK supermarket chain, said that its customers might also be victims to the same password guessing mechanism. More recently, Reddit logged people out of their accounts after they were targeted by credential stuffing, which goes to show that the problem is growing more serious by the day. The recent discovery of a data dump with millions of username and password combinations is unlikely to buck the trend.

The case for avoiding password reuse has never been stronger. For years, security experts were telling us how terrible the consequences of credential stuffing could be, and right now, more and more people are experiencing it first-hand. The only way to avoid it is by using unique passwords for all your accounts, and doing this is not as difficult as it used to be. Password management tools like the Cyclonis Password Manager can help you. To learn more about it, click here.

January 28, 2019

Leave a Reply