DailyMotion discloses credential stuffing attack

Video sharing platform DailyMotion announced on Friday that it was the victim of a credential stuffing attack, ZDNet has learned.

Also: Credential stuffing attacks cause heartache

Credentials stuffing is a security term that describes a type of cyber-attack where hackers take combinations of usernames and passwords leaked from other sites and use them to gain illegal access on accounts on another site.

According to an email sent out to impacted customers, and seen by ZDNet, the credential stuffing started last weekend, on January 19, and appears to have been successful in some cases, with hackers gaining access to a limited number of accounts.

The company said its security team discovered the attack and it took "all necessary steps" to block it. Since last Saturday, the company has been logging off users who it believes were impacted and resetting their passwords.

The email sent to all affected customers contains a link for users to reset their password and regain control of their account.

The French company has also notified CNIL (Commission nationale de l'informatique et des libertés), France's data privacy watchdog, as demanded by Europe's new GDPR legislation.

A DailyMotion spokesperson did not reply to a request for comment ZDNet sent on Saturday, January 26, seeking additional details.

DailyMotion isn't the only company that has suffered a credential stuffing attack in the past few months. Ad blocker company AdGuard suffered one in September, and so did banking giant HSBC and restaurant chain Dunkin' Donuts in November.

The latest victim was Reddit, who only two weeks ago announced that hackers had gained illegal access to some accounts following a credential stuffing attack.

Must read

• Google Chrome browser starts blocking intrusive ads (CNET)
  
• How credential stuffing contributed to 8.3B malicious botnets (TechRepublic)
  

In December 2016, DailyMotion also disclosed a major security breach after a hacker stole 85.2 million unique email addresses and usernames from the company's systems, along with the passwords for 18.3 million accounts.

The video-sharing site remains one of the most visited websites on the internet, currently ranked #134 on the Alexa traffic ranking.

These are the worst hacks, cyberattacks, and data breaches of 2018

Related stories:

• Dunkin' Donuts accounts may have been hacked in credential stuffing
  
• Banks, globally, facing barrage of credential stuffing attacks
  
• AdGuard resets all user passwords after credential stuffing attack
  

More data breach coverage:

• Real-time location data for over 11,000 Indian buses left exposed online
• Mystery still surrounds hack of PHP PEAR website
• Popular WordPress plugin hacked by angry former employee
• Advertising network compromised to deliver credit card stealing code
  
• Online casino group leaks information on 108 million bets, including user details
• Twitter bug revealed private tweets for some Android users for almost five years
• Massive breach leaks 773 million email addresses, 21 million passwords CNET
  
• Marriott reveals data breach affecting 500 million hotel guests TechRepublic