Video-sharing website Dailymotion is resetting the account passwords of an unknown number of users after being hit by a “large-scale” credential-stuffing attack.
As is often the case with password reset announcements, the technical detail of what happened and how many users were affected remains sketchy.
According to an email circulating on Twitter that was sent to some users, and a brief announcement on the company’s US website, Dailymotion’s security team detected the attack on user credentials on 19 January:
The attack consists in ‘guessing’ the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion.
What marks the Dailymotion incident out as unusual is that more than a week later the company is still battling the same attack.
Underlining this, Dailymotion said it had informed the French information commissioner, CNIL (Commission nationale de l’informatique et des libertés), which implies that the attack might have had some success.
Repelling credential stuffing is not easy. Attackers use botnets to distribute the attacks across large numbers of computers that can be hard to distinguish from legitimate traffic and even harder to block.
It’s now a big enough headache that internet content delivery company Akamai recently estimated that between November 2017 and June 2018 its customers fielded 30 billion credential-stuffing attempts.
Where might the attackers be getting the credentials to stuff?
As the company says, the simplest explanation is that they get them from the sea of credentials stolen from other websites that float around on criminal forums.
On that front, Dailymotion suffered a major breach of its own in late 2016 in which a reported 85 million email addresses and usernames and 18 million passwords were stolen.
Superficially, it was good news that the company is believed to have protected the passwords using the secure Bcrypt hashing algorithm.
Except, of course, if the same password has been used elsewhere on a site not using the same level of security (or even exposed or phished in plaintext) that account will still be vulnerable.
The problem is password re-use – if users set strong unique passwords for each website they use, credential stuffing would no longer work.
Dailymotion isn’t alone. Earlier this month some Reddit users were asked to reset their passwords in response to what appears to have been a credential-stuffing attack. In September, the popular adblocker AdGuard also suffered a similar fate.
Rob
Doesn’t locking the account for a period of time after a number of unsuccessful login attempts stop this type of attack? It makes the stuffing process too slow to achieve a result.
Paul Ducklin
The thing with “credential stuffing” (aside from the fact that it’s not a particularly well-chosen jargon name -) is that the crook is generally trying just one password per username – namely, a password known to work with that username somewhere else.
It’s like a dictionary attack (where you try a list of likely passwords) with just one entry in the dictionary.
So there isn’t a telltale “too many tries” event for any one account. If the crook makes too many login attempts in total from the same computer, you could blocklist that IP number for a while, but if the crook uses a zombie network with lots of different computers to spread the load, he might go unnoticed for some time.