According to breach detection company Leakedsource, video sharing site Dailymotion has had 85.2 million usernames and email addresses and 18 million scrambled passwords stolen, with the theft reportedly occurring on 20 October.
Although Dailymotion passwords are protected with the Bcrypt hashing algorithm, the company has advised all users to change their passwords. The company also stated that no personal information had been lost and that the impact of the breach was limited.
Dailymotion released a statement via a blog, saying:
“It has come to our attention that a potential security risk, coming from outside Dailymotion may have comprised the passwords for a certain number of accounts. The hack appears to be limited, and no personal data has been comprised. Your account security is extremely important to us, and to be on the safe side, we are strongly advising all of our partners and users to reset their passwords. When defining a new password we recommend that your new password contains eight or more characters, is not obvious (EG: password1234), and not to use the same password on multiple sites.”
Experts reacting to the latest high-profile breach have been quick to point the finger of blame at the humble password – a security measure which needs to be retired according to the majority. CBR spoke to the experts to get their views on passwords and what companies need to do to mitigate the risk of attack.
A fundamentally insecure method of security
Richard Parris, CEO, Intercede:
“How many more major username and password thefts do there need to be before the industry sits up and acknowledges that this is a fundamentally insecure method of security? Unfortunately for the consumers affected by the Dailymotion hack, it’s not just their Dailymotion accounts which are at risk. Without a doubt, there’ll be a number of customers who have recycled their passwords across numerous sites – and who can blame them? When you have 30-odd online identities, it’s unrealistic to expect consumers to create, and remember, 30 different – but complicated – passwords. It’s hard enough to remember 30 simple passwords.
“The responsibility instead lies on businesses to reject password authentication and adopt secure alternatives. They are available, they are easy to implement and they offer much higher levels of security.”
Your only real choice as a consumer
Mark James, IT security specialist at ESET:
“The internet has now made streaming content so easy, music and videos are readily available and cover all aspects of our daily lives. But of course to be part of this revolution you have to sign up, you need to choose a username and password, often give over personal information just to be a member of the site you’re signing up to. You have no choice in their security, no control over how, who or what they do as regards to keeping your data safe but your only real choice is “do I want your service or not?”
“When or if your data gets compromised you need to check a few things and act quickly. Check and change your passwords on this site, if you have used that same password on any other site then change those immediately and possibly consider a password manager if you’re not already using one. Without further information about what was or was not stolen we won’t know the extent of the damage but needless to say more data being added to your already overflowing online profile floating around the web is not good for any of us.”
Your password will be involved in a breach
Deral Heiland, Research Lead – Global Services Rapid7:
“Sooner or later your email address, username and password will be involved in a breach. Hashing or encrypting passwords, by using the “bcrypt hashing function” for example, will serve you little value if your password is constructed of a dictionary word and numbers. Brute forcing against the hashed passwords using a dictionary attack will always make short work of this. So use strong passwords or pass phrases and avoid the use of dictionary words.
“In spite of the difficulty of having a different password on every account it is still much easier than panicking to change multiple passwords in the event of a breach, and cleaning up potential issues related to numerous accounts being compromised.”
Expect stolen passwords to be re-used
Javvad Malik, security advocate at AlienVault:
“While it is too early to establish the why or how, of what happened, the attack against Dailymotion serves as a reminder that a company doesn’t need to hold financial information or any other form of overtly valuable data to be a target. Attackers will go after a company, particularly ones with large user bases for a variety of reasons.
In this case, we may see the stolen passwords used as re-use attacks against other services, in very much the same way we recently saw attacks against Deliveroo and Camelot perpetrated by reused passwords.”
This article is from the CBROnline archive: some formatting and images may not be present.