The video hosting platform may have been breached through an insecure application
The video hosting platform may have been breached through an insecure application

Daily motion has been breached with the hackers making off with 85 million accounts.  

The video hosting service, and the 113th most popular site on the internet, was robbed of its users usernames, emails and, for many, hashed passwords.

First reported by LeakedSource.com, the breach notification database, the breach was apparently carried out around the 20th October.

While 85 million usernames and emails were taken, 18 million hashed passwords were also taken. As some have noted, those passwords were hashed with bcrypt, a notably resilient level of encryption which will make them harder and slower to crack.

Ilia Kolochenko, CEO of web security firm High-Tech Bridge told SCMagazineUK.com that he suspects an insecure web application was at fault here: "By examining currently available information about the incident, we can suggest that an insecure web application was probably at the origins of the breach."

"The Gartner Hype Cycle for Application Security 2016 says that applications, not infrastructure, represent the main attack vector for data exfiltration. As we can see by this example, even the largest companies fail to properly protect their web applications, putting their users at great risk.”

Kolochenko added that we should expect “mass spear-phishing attacks combined with password re-use, which will allow cyber-criminals to compromise many different accounts belonging to the victims. The main wave may come just before or during Christmas shopping – when people are stressed and less attentive, while attackers will have enough time to carefully prepare their campaigns."

Mark James, IT security specialist at ESET told SC that for users, data security choices are limited for a site as widely used as DailyMotion: “The internet has now made streaming content so easy, music and videos are readily available and cover all aspects of our daily lives. But of course to be part of this revolution you have to sign up, you need to choose a username and password, often give over personal information just to be a member of the site you're signing up to. You have no choice in their security, no control over how, who or what they do as regards to keeping your data safe but your only real choice is 'do I want your service or not?'

DailyMotion did not respond for comment in time for publication.