DailyMotion Credential Stuffing Attack

By   ISBuzz Team
Writer , Information Security Buzz | Jan 29, 2019 02:30 am PST

The popular video platform DailyMotion’s disclosed a credential stuffing attack on Friday.  In response, experts with Cequence and Shared Assessments offer perspective.

Mike Jordan, CISSP, CRISC, CTPRP, Senior Director at The Shared Assessments Program:

“Credential Stuffing is the unfortunate consequence of using the same password on different sites.  Just last week, over 772 million passwords were offered for sale in one of the largest public data breaches of this sort.  It’s no surprise to see a corresponding breach.

“Hacking passwords on public video sites and forums could be used for troll farming and disinformation campaigns. More troubling are the breached banks and retailers where actual transactions are at risk.  And don’t forget the smaller sites that don’t have the resources to detect this kind of attack.  Consumers may never hear about these types of attacks, and any site can store more of your information than you may realize.

“I strongly recommend making passwords unique and storing them in a trusted password manager app.  Opt into two-step or Multi-Factor sign-in where possible, whereby the website sends you a code or uses an app to log you in along with your password. Email accounts can be used to reset all your other passwords, so prioritize those along with your financial and work passwords.”

Franklyn Jones, CMO at Cequence:

Franklin Jones“One of the reasons credential stuffing is so hard to prevent is that the attack vector is a valid username and password combination. No malicious content there, so the attack is often undetectable until it’s too late. So in this case, it’s more effective to focus on the underlying behavior and intent of the request to determine its authenticity.”