Details of more than 85 million users of video sharing site Dailymotion have been hacked, according to Leakedsource. The breach detection company said 85.2 million usernames and email addresses and 18 million scrambled passwords had been stolen on 20 October. IT security experts from Proofpoint, Varonis, NuData Security and Rapid7 commented below.
Sherrod DeGrippo, Director, Emerging Threats at Proofpoint:
“Any login/password database can be sold for use as lures in email malware campaigns. Using this type of information to personalize emails that also contain malware and links to malware is a tactic we see every day and is very popular.
Malware actors can send personalized email messages using this stolen data to make them more attractive to click on and lower the guard of the recipient.
Users should change their passwords, never reuse passwords across sites and be aware of email message attachments, even if the email they come from includes specific information about them.
We also often see a wave of emails that pivot off these types of events shortly after they’re announced. Emails that purport to be from the breached service, asking the users to click and download or follow a link to reset their passwords or to update their security settings due to the breach – but are actually from a malware distributor.”
David Gibson, VP of Strategy and Market Development at Varonis:
“This morning, video sharing site Dailymotion admitted that hackers hauled in over 85.2 million user names and email addresses, with one in five of these accounts – around 18.3 million – had associated passwords. If you’re not using strong passwords, enabling two-factor authentication where available, not entering the same password on multiple sites, or relying strictly on a password manager, then this breach should re-motivate you.
“Businesses – just like individuals – are still struggling to get the basics right when it comes to securing their data. There are so many basic vulnerabilities that organisations need to address – external and internal. In order to be productive, company networks can’t be 100% isolated, and no matter how much time and money you spend on security tools, nothing is fool-proof, especially when the weakest links in the chain are the people who need access to data in order to do their jobs.
“Burying your head in the sand and hoping nothing bad will ever happen isn’t an option these days, so companies should absolutely have a plan for what happens after they discover a breach. Just like it would be silly to choose not to have a plan for a fire in the building, it doesn’t make sense not to have a response plan for a data breach. At a minimum, it’s critical for companies to identify what may have been stolen or deleted and what their obligations are to customers, partners, shareholders, etc. Different types of information have different disclosure requirements, therefore it’s important for companies to understand what kind of data they’re storing and what those obligations are so they can plan accordingly.”
Robert Capps, VP of Business Development at NuData Security:
“Any breaches of personal information are of extreme significance and concern. While breaches seem to be a daily occurrence, this breach goes to show that any site with information about a consumer is a potential target! Even when you think you are just sitting at home watching cute cat videos, your information is always tempting for hackers. With just a name and email address there are outsized risks from targeted Phishing. Stolen consumer data can be combined with other personally identifiable information (PII) from other hacks and breaches to amass even more detailed profiles on users that are traded and sold for high value to hackers. These ‘bundles’ contain much more complete and increasingly dangerous information around specific individuals, meaning there are more opportunities for fraud to take place. For example, with enough data collected from separate breaches a fraudster can gain access to financial and geographical information with the intent to fill out a loan application or apply for a new credit card.”
Deral Heiland, Research Lead – Global Services at Rapid7:
“Sooner or later your email address, username and password will be involved in a breach. Hashing or encrypting passwords, by using the “bcrypt hashing function” for example, will serve you little value if your password is constructed of a dictionary word and numbers. Brute forcing against the hashed passwords using a dictionary attack will always make short work of this. So use strong passwords or pass phrases and avoid the use of dictionary words.
In spite of the difficulty of having a different password on every account it is still much easier than panicking to change multiple passwords in the event of a breach, and cleaning up potential issues related to numerous accounts being compromised.”