Was Your Vimeo Account Frozen? Here's Why
It's safe to say that individuals should be responsible for their own security and should bear the consequences when they don't take this task seriously enough. Nevertheless, online service providers that take proactive steps to protect their users definitely deserve a proverbial pat on the back. Having said that, communicating their actions with users is probably as important as the actions themselves, and unfortunately, this is where sometimes things don't go quite as well as everyone hopes. Video-sharing platform Vimeo, for example, showed us how security initiatives that are not well explained can cause a lot of confusion.
"Frozen" accounts leave Vimeo users scratching their heads
Last week, some Vimeo account owners realized that they're unable to log into the video publishing platform. David Smith, a reader of infosec journal The Register, explained that he received a notification telling him that "a stranger" had accessed his account and that to protect him, Vimeo had decided to freeze the profile. This sort of scenario isn't as uncommon as you might think, and although we're talking about unauthorized access, it doesn't necessarily mean that the online service (Vimeo, in this case) has been compromised.
Credential stuffing is becoming more and more popular with cybercriminals. In it, crooks take a database of usernames and passwords stolen from one website (e.g., an online discussion board) and try them out against another platform (e.g., Facebook). Because so many people reuse the same login credentials at multiple websites, quite a few Facebook profiles could be compromised despite the fact that the social network itself hasn't been targeted by hackers.
Some stats recently published by Microsoft showed that password spraying is fairly common nowadays as well. In a password spraying attack, the crooks take a list of known usernames and pair them with a few commonly used, easy-to-guess passwords. Once again, people's tendency to use the same weak passwords means that cybercriminals can break into users' accounts with relative ease.
Vimeo said that malware had stolen users' credentials
David Smith knew that he hadn't been targeted by a credential stuffing attack, and he was also fairly sure that password spraying wasn't involved. He was confident that something else was the matter because, unlike many people, he was using a unique, randomly generated password for his Vimeo account.
Baffled, he reached out to The Register in an attempt to understand what had happened. The journalists weren't any the wiser, but they did contact Vimeo, and the video-sharing platform finally revealed what was really going on. A representative told The Register that Vimeo's security team had found "a list of compromised email and password combinations captured from malware." How they found them remains unknown, but they did check them and realized that at least a portion of the data was valid. To protect users, they blocked access to the affected accounts.
It's not clear how easily accessible the stolen credentials were, but it's safe to say that whatever the circumstances, freezing the accounts was the right thing to do. What is not quite clear, however, is why Vimeo did it without informing users and the rest of the world about it. Even now, after the story found its way to The Register's weekly news round-up, Vimeo hasn't disclosed any specific details through the regular information channels, which means that some users might still be unaware of what's going on. They might not know that they should scan their devices for malware and change their passwords, either.
Actions like this are supposed to enforce people's trust in the service provider, but when they're not properly explained, they can have the opposite effect. Hopefully, we'll continue to see online platforms taking care of their users, and we'll also witness more transparent handling of security incidents.