by John E Dunn for Sophos
Video-sharing website Dailymotion is resetting the account passwords of an unknown number of users after being hit by a “large-scale” credential-stuffing attack.
As is often the case with password reset announcements, the technical detail of what happened and how many users were affected remains sketchy.
According to an email circulating on Twitter that was sent to some users, and a brief announcement on the company’s US website, Dailymotion’s security team detected the attack on user credentials on 19 January:
The attack consists in ‘guessing’ the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.
What marks the Dailymotion incident out as unusual is that more than a week later the company is still battling the same attack.
Underlining this, Dailymotion said it had informed the French information commissioner, CNIL (Commission nationale de l’informatique et des libertés), which implies that the attack might have had some success.
Repelling credential stuffing is not easy. Attackers use botnets to distribute the attacks across large numbers of computers that can be hard to distinguish from legitimate traffic and even harder to block.
It’s now a big enough headache that internet content delivery company Akamai recently estimated that between November 2017 and June 2018 its customers fielded 30 billion credential-stuffing attempts.
Where might the attackers be getting the credentials to stuff?
As the company says, the simplest explanation is that they get them from the sea of credentials stolen from other websites that float around on criminal forums.
On that front, Dailymotion suffered a major breach of its own in late 2016 in which a reported 85 million email addresses and usernames and 18 million passwords were stolen.
Superficially, it was good news that the company is believed to have protected the passwords using the secure Bcrypt hashing algorithm.
Except, of course, if the same password has been used elsewhere on a site not using the same level of security (or even exposed or phished in plaintext) that account will still be vulnerable.
The problem is password re-use – if users set strong unique passwords for each website they use, credential stuffing would no longer work.
Dailymotion isn’t alone. Earlier this month some Reddit users were asked to reset their passwords in response to what appears to have been a credential-stuffing attack. In September, the popular adblocker AdGuard also suffered a similar fate
Twelve US states are suing an electronic healthcare record provider who lost 3.9 million personal records in 2015. The Attorneys general of Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina, and Wisconsin clubbed together to file suit against Indiana-based Medical [...]
Video-sharing website Dailymotion is resetting the account passwords of an unknown number of users after being hit by a “large-scale” credential-stuffing attack.As is often the case with password reset announcements, the technical detail of what happened and how many users were affected remains sketchy. [ ... ]
The system came up with the technique by itself, after being trained on a battery of sample images.
It appears machines may already be catching up to humans, at least in the world of computational biology. A team of researchers at the MIT-based Center for Brains, Minds and Machines (CBMM) found that the system they designed to [...]
In a year in which facial recognition has made massive strides to invade personal privacy and settle in as a favored tool for government surveillance, Microsoft isn’t just open to government regulation; it’s asking for it. On Thursday, in a speech at Brookings Institution [...]
A lone security researcher just gave Samsung’s mobile phone cybersecurity technology the finger. According to a video posted on the Imgur site on Friday, it’s possible to bypass the biometrics on the new Galaxy S10 range in just a few minutes, using a 3D-printed fingerprint [...]
Here’s how two-factor authentication is supposed to work: You log in to your bank account or email inbox, and after correctly entering your password, you are prompted to confirm the login through an app on your cellphone, a one-time code sent to you via text message or email [...]