Dailymotion, the video-sharing platform, said Friday that it had fallen victim to a “large-scale” and ongoing credential-stuffing assault by attackers looking to harvest user data.
The French YouTube competitor said in an alert that it has “successfully contained [the attacks] following the implementation of measures to limit its scope, even though perpetrators are continuing to mount efforts to brute-force user passwords.
“Potentially impacted users have been contacted directly by Dailymotion to inform them and provide them with personalized support,” the company said. “The CNIL (French Data Protection Authority) has also been notified of the attack … the Dailymotion teams are actively working to end the attack and reinforce the protection of its user data.”
Dailymotion has 300 million unique monthly visitors watching 3.5 billion videos per month according to its website.
Credential-stuffing is a method of using automated scripts to try a large number of passwords against an online account (often in mere seconds) in hopes of finding the right one and cracking the account. Thanks to previous data breaches impacting wide swathes of the population by harvesting their passwords, the fact that many people re-use these passwords across many accounts, and the fact that that weak and easy-to-guess passwords are still endemic, such attacks tend to have a high rate of success.
“Consumers who have not yet upgraded to multifactor authentication (MFA) to login to websites, more often than not, reuse a few static passwords across multiple websites,” Michael Magrath, director for Global Regulations & Standards at OneSpan, said via email. “Given the vast number of password-related breaches over the past few years, the convenient, yet insecure reuse of static passwords exposes individuals to the credential-stuffing attack used in this case. Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy. Many websites support MFA today.”
As a result, credential-stuffing is a rising scourge. According to a 2018 report from Shape Security, 80 to 90 percent of log-in attempts at online retailers is tied to attempted credential-stuffing by hackers. The report added that 82 percent of log-in requests at hotel and hospitality websites and services can be attributed to the technique. And, about 65 percent of log-ins against airlines are credential-stuffing attacks.
The activity has significant consequences, too: The potential losses tied to credential spills come in at $50 million a day globally, Shape Security said – and it takes an average of 15 months for a credential breach to be reported.
Attacks like this one and the recent offensive aimed at Dunkin Donuts should put web admins on notice, according to Rod Simmons, vice president of product strategy and Active Directory at STEALTHbits Technologies.
“In giving users flexibility to set any desired password we fail to fix stupid,” he said via email. “Carbon-based life forms cannot [even] trip over creating secure passwords. Our challenge as system owners is to prevent users from doing lazy and stupid things. For example, ‘so I don’t forget my password, let me include my logon name in it plus by date of birth.’ Users will go out of their way, unintentionally, to do the least secure thing possible. As an administrator, prevent it.”
Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.