Dailymotion on Friday announced that some accounts were the target of a credential stuffing attack. The video platform's security team discovered the unauthorized access attempts and stopped them.
In an email notification to potentially impacted users, the French company says that the incident occurred on January 19. Six days later, the attack was still in progress.
Following the discovery of the account takeover attempts, Dailymotion started to log users out and initiated the password reset procedure. The email to users includes a link that allows them to regain access to their account.
Dailymotion has been pwned. pic.twitter.com/IJkE1hajr2
— Frank Denis (@jedisct1) January 26, 2019
A translation into English is provided in the tweet below:
@troyhunt Got this mail from @dailymotion (translated from french) pic.twitter.com/uotgq7K6Ju
— Seblor (@Seblor571) January 26, 2019
The company has also informed the French Data Protection Authority (CNIL) of the attack, as required by the European Union General Data Protection Regulation (GDPR).
Login data is easy to come by
Dailymotion says in its public disclosure that the hackers were trying "a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion."
This "guessing" approach using login data from other breaches is what describes a credential stuffing attack; login information with decrypted passwords from data breaches is often probed on multiple services because chances of victims reusing them are high.
Hackers would not have to look too hard for data from old breaches. Prior to the Dailymotion incident, someone offered for sale an archive named Collection #1 with 773 million unique email addresses and associated cracked passwords. The database is part of a larger set almost 1 terabyte in size, sold for just $45.
Users can stay safe against credential stuffing attacks by choosing unique passwords for accessing online services. Enabling two-factor authentication (2FA) for the account is also a good idea if the feature is available.
Service providers should at least consider implementing brute force protection to limit the number of consecutive failed login attempts.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now