Credential Stuffing Attack Hits Dailymotion

Dailymotion, the rival to Youtube’s video-sharing empire, has become a victim of a cyber attack called credential stuffing. It is an attack using the usernames and passwords from other data breaches against Dailymotion’s login system. This is highly effective since people usually reuse the same username and passwords across multiple web services. This same attack was used against Reddit early this month, and proven very useful against other web services until such time users will change their behavior when it comes to password choices.

Dailymotion provides users to upload a video they have captured and publish them to its website, just like Youtube has been doing. In fact, Dailymotion can be considered as a close rival, since like Youtube, the former was also established in 2005. The credential stuffing attack against Dailymotion was only discovered by the file-sharing site last Jan 19. In their initial investigation, some accounts were taken over by users from unknown IP addresses, indicating that people other than the owners of the account were in control.

Dailymotion’s IT team has forcefully logged-off the questionable accounts, prompting their original owners to change their password at the soonest possible time. All accounts that they deemed access by 3rd parties are subjected to this force password change, in order for them to have the chance to recover their accounts.

Since Dailymotion is headquartered at France, the company has informed Commission Nationale de l’informatique et des libertés (CNIL) about the incident in full compliance to the GDPR disclosures mandated by EU. Aside from Reddit and now Dailymotion, Dunkin’ Donuts, AdGuard and HSBC were the recent victims of credential stuffing. With the growth of the number of data breaches that happens every year, hackers will always attempt to use the user credentials they stole against popular online services, in hopes some accounts will successfully login to the user’s profile.

In order to minimize issues like this in the future, it is best to follow safe computing habits:

• Use unique, hard to guess passwords for all subscribed web services
• Do not run attachments that come from unknown senders.
• In the same way, avoid clicking on the links embedded in emails that come from unknown or untrusted addresses.
• Banks never ask for confidential information by e-mail. A very common deception is phishing, which consists of falsifying the bank’s website and redirecting the user there through a link. In this way, they can be done with the identification data of the user and access their bank account.
• Enable the anti-spam filter.
• Use different email accounts. For example, it is advisable to use an account exclusively to receive mail with little importance, commercial notices, emails from mass mailing lists, etc.
• Use strong passwords, that is, that have ten or more characters and include uppercase, lowercase, numbers, and special characters. It is also advisable to use an account for each service.
• Avoid accessing email from public computers.
• Use public Wi-Fi networks with caution, there may be someone capturing users’ passwords.
• When sending a message to many contacts, use the copy in a hidden copy, in this way the addresses of the recipients are protected.
• The best ally to cybersecurity is oneself. It is advisable to be updated in terms of computer security.

Dailymotion is considered by Alexa traffic tracking as the 134th most visited site in the world. It is a good alternative to Youtube and has a considerable number of video contents uploaded every day.