[BreachExchange] Dailymotion Resets Passwords After Credential Stuffing Attack

[Destry Winant]

https://www.bleepingcomputer.com/news/security/dailymotion-resets-passwords-after-credential-stuffing-attack/

Dailymotion on Friday announced that some accounts were the target of
a credential stuffing attack. The video platform's security team
discovered the unauthorized access attempts and stopped them.

In an email notification to potentially impacted users,  the French
company says that the incident occurred on January 19. Six days later,
the attack was still in progress.

Following the discovery of the account takeover attempts, Dailymotion
started to log users out and initiated the password reset procedure.
The email to users includes a link that allows them to regain access
to their account.

The company has also informed the French Data Protection Authority
(CNIL) of the attack, as required by the European Union General Data
Protection Regulation (GDPR).

Login data is easy to come by

Dailymotion says in its public disclosure that the hackers were trying
"a large number of combinations, or by using passwords that have been
previously stolen from web sites unrelated to dailymotion."

This "guessing" approach using login data from other breaches is what
describes a credential stuffing attack; login information with
decrypted passwords from data breaches is often probed on multiple
services because chances of victims reusing them are high.

Hackers would not have to look too hard for data from old breaches.
Prior to the Dailymotion incident, someone offered for sale an archive
named Collection #1 with  773 million unique email addresses and
associated cracked passwords. The database is part of a larger set
almost 1 terabyte in size, sold for just $45.

Users can stay safe against credential stuffing attacks by choosing
unique passwords for accessing online services. Enabling two-factor
authentication (2FA) for the account is also a good idea if the
feature is available.

Service providers should at least consider implementing brute force
protection to limit the number of consecutive failed login attempts.