Millions of accounts associated with video-sharing site Dailymotion, one of the biggest video platforms in the world, have been stolen. A hacker extracted 85.2 million unique email addresses and usernames from the company’s systems, but about one-in-five accounts — roughly 18.3 million– had associated passwords, which were scrambled with the bcrypt hashing function, making the passwords difficult to crack. The hack is believed to have been carried out on Oct. 20 by a hacker, whose identity isn’t known, according to LeakedSource, a breach notification service, which obtained the data.
The Guru reached out to several cybersecurity experts to get their reactions on this breach.
Javvad Malik, security advocate at AlienVault:
“While it is too early to establish the why or how, of what happened, the attack against Dailymotion serves as a reminder that a company doesn’t need to hold financial information or any other form of overtly valuable data to be a target. Attackers will go after a company, particularly ones with large user bases for a variety of reasons.
“In this case, we may see the stolen passwords used as re-use attacks against other services, in very much the same way we recently saw attacks against Deliveroo and Camelot perpetrated by reused passwords.”
Mark James, IT security specialist at ESET:
“The internet has now made streaming content so easy, music and videos are readily available and cover all aspects of our daily lives. But of course to be part of this revolution you have to sign up, you need to choose a username and password, often give over personal information just to be a member of the site you’re signing up to. You have no choice in their security, no control over how, who or what they do as regards to keeping your data safe but your only real choice is “do I want your service or not?”
“When or if your data gets compromised you need to check a few things and act quickly. Check and change your passwords on this site, if you have used that same password on any other site then change those immediately and possibly consider a password manager if you’re not already using one. Without further information about what was or was not stolen we won’t know the extent of the damage but needless to say more data being added to your already overflowing online profile floating around the web is not good for any of us.”
Lee Munson, security researcher at Comparitech.com:
“While some 85 million users may be sweating over the apparent breach of DailyMotion, the actual damage caused by the attack, if confirmed, is likely to be very small indeed.
“The reason for that is the fact that the site used bcrypt hashing to protect users’ passwords, making them extremely hard to crack.
“Even though the use of a strong hashing function is extremely good news, it does not guarantee that passwords cannot be extracted, meaning users should still seriously consider changing them anyway.
“On a slightly more negative note, it does appear that email addresses may have been compromised though – DailyMotion account holders should therefore be on their guard against targeted attacks, especially phishing emails which may come their way, asking them to click on a link to update their passwords!
“Also concerning, if the breach is confirmed, is the fact that the attack is believed to have occurred on 20 October, giving the attacker(s) plenty of opportunity to make good use of any stolen credentials long before any official word comes from DailyMotion itself.”
David Gibson, VP of strategy and market development at Varonis:
“This morning, video sharing site Dailymotion admitted that hackers hauled in over 85.2 million user names and email addresses, with one in five of these accounts – around 18.3 million – had associated passwords. If you’re not using strong passwords, enabling two-factor authentication where available, not entering the same password on multiple sites, or relying strictly on a password manager, then this breach should re-motivate you.
“Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
“Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Sherrod DeGrippo, Director, Emerging Threats at Proofpoint:
“Any login/password database can be sold for use as lures in email malware campaigns. Using this type of information to personalize emails that also contain malware and links to malware is a tactic we see every day and is very popular.
Malware actors can send personalized email messages using this stolen data to make them more attractive to click on and lower the guard of the recipient.
Users should change their passwords, never reuse passwords across sites and be aware of email message attachments, even if the email they come from includes specific information about them.
We also often see a wave of emails that pivot off these types of events shortly after they’re announced. Emails that purport to be from the breached service, asking the users to click and download or follow a link to reset their passwords or to update their security settings due to the breach – but are actually from a malware distributor.”
Robert Capps, VP of business development at NuData Security:
“Another day, another hack, and more consumer data stolen. Even watching your favourite band’s latest music video can lead to a breach of your personal data, as we’ve seen with this Dailymotion breach.
Any breaches of personal information are of extreme significance and concern. While breaches seem to be a daily occurrence, this breach goes to show that any site with information about a consumer is a potential target! Even when you think you are just sitting at home watching cute cat videos, your information is always tempting for hackers. With just a name and email address there are outsized risks from targeted Phishing. Stolen consumer data can be combined with other personally identifiable information (PII) from other hacks and breaches to amass even more detailed profiles on users that are traded and sold for high value to hackers. These ‘bundles’ contain much more complete and increasingly dangerous information around specific individuals, meaning there are more opportunities for fraud to take place. For example, with enough data collected from separate breaches a fraudster can gain access to financial and geographical information with the intent to fill out a loan application or apply for a new credit card.
Fortunately, there are means of stopping fraudsters from using their precious compiled data, before catastrophic damage can be done. Organisations at the forefront of protecting their brand and customers are leveraging multi-layered solutions that employ passive biometrics and behavioural analytics. These completely passive systems identify suspicious activity coming from a fraudster who has procured legitimate account credentials and stop any deceitful transactions from taking place even when good account details or stolen biometrics are presented. Without the need to interrupt a user’s experience, behavioural analysis serves as a means of understanding how legitimate users truly act, thereby predicting and preventing fraud from occurring. Isn’t it time we should expect the organisations that hold our credentials safe to have the best solutions in place to protect our data from theft and misuse?”