Attackers have launched an ongoing credential stuffing campaign against the online video streaming service Dailymotion, compromising the data of an unspecified number of users in the process.
A property of French media and entertainment company Vivendi SA, Paris-based Dailymotion said in a Jan. 25 press alert that its technical teams “successfully contained” the attack “following the implementation of measures to limit its scope.” Potentially impacted users have already been contacted, as has as the CNIL, a French federal agency responsible for overseeing data protection regulations.
In a credential stuffing attack, malicious actors attempt to gain access to online websites or accounts using passwords that were previously stolen from or leaked by unrelated web services. This technique often works because many users tend to register for services with the same credentials over and over.
Sharing passwords between sites is a recipe for disaster, especially when the same credentials are used for business,” said
Martin Cannard, VP of privileged access management product strategy at STEALTHbits Technologies, in emailed comments. “Today there is a plethora of personal password management tools which makes the process of maintaining unique credentials a no-brainer. Keep your passwords strong and unique, and never use the same password for a business as you would for personal sites.”
“Consumers who have not yet upgraded to multifactor authentication to loin to websites more often than not reuse a few static passwords across multiple websites,” added Michael Magrath, OneSpan’s director of global regulations and standards, in his own comments. “Given the vast number of password-related breaches over the past few years, the convenient, yet insecure reuse of static passwords exposes individuals to the credential stuffing attack used in this case.”
“The… credential stuffing attack on Dailymotion is another reminder of the vulnerability of passwords and how vital password-less solutions are,” said
Raz Rafaeli, CEO of Secret Double Octopus. “Unfortunately, these sort of reminders are popping up every month. It’s time that companies wake up and take their users’ privacy seriously, and it’s time for consumers to demand better protection of their personal information.”
Earlier this month, a credential stuffing attack against Reddit caused the social news site to force a password reset on its users.