BreachExchange mailing list archives
Dailymotion Resets Passwords After Credential Stuffing Attack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 29 Jan 2019 06:06:39 -0600
https://www.bleepingcomputer.com/news/security/dailymotion-resets-passwords-after-credential-stuffing-attack/ Dailymotion on Friday announced that some accounts were the target of a credential stuffing attack. The video platform's security team discovered the unauthorized access attempts and stopped them. In an email notification to potentially impacted users, the French company says that the incident occurred on January 19. Six days later, the attack was still in progress. Following the discovery of the account takeover attempts, Dailymotion started to log users out and initiated the password reset procedure. The email to users includes a link that allows them to regain access to their account. The company has also informed the French Data Protection Authority (CNIL) of the attack, as required by the European Union General Data Protection Regulation (GDPR). Login data is easy to come by Dailymotion says in its public disclosure that the hackers were trying "a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion." This "guessing" approach using login data from other breaches is what describes a credential stuffing attack; login information with decrypted passwords from data breaches is often probed on multiple services because chances of victims reusing them are high. Hackers would not have to look too hard for data from old breaches. Prior to the Dailymotion incident, someone offered for sale an archive named Collection #1 with 773 million unique email addresses and associated cracked passwords. The database is part of a larger set almost 1 terabyte in size, sold for just $45. Users can stay safe against credential stuffing attacks by choosing unique passwords for accessing online services. Enabling two-factor authentication (2FA) for the account is also a good idea if the feature is available. Service providers should at least consider implementing brute force protection to limit the number of consecutive failed login attempts. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Dailymotion Resets Passwords After Credential Stuffing Attack Destry Winant (Jan 29)