Maksim Kabakou - Fotolia

Dailymotion breach prompts calls for password alternatives

The latest breach of millions of user details prompts fresh calls for better security of user data and an alternative to passwords

A breach at French video sharing website Dailymotion that exposed more than 87.5 million user accounts has prompted fresh calls for an alternative to passwords.

According to breach notification site LeakedSource, the breach took place on 20 October 2016 and exposed details including user names, email addresses and passwords protected with the Bcrypt hashing algorithm, but Dailymotion denies that personal data has been compromised.

“It has come to our attention that a potential security risk, coming from outside Dailymotion, may have comprised the passwords for a certain number of accounts,” the company said in a blog post.

“The hack appears to be limited, and no personal data has been comprised. Your account security is extremely important to us and, to be on the safe side, we are strongly advising all of our partners and users to reset their passwords,” said Dailymotion.

News of the breach comes just three weeks after LeakedSource reported that user details of more than 412 million accounts had been exposed in a data breach at FriendFinder Networks, once again highlighting the poor password practices and poor security around user data.

News of the Dailymotion breach prompted fresh calls for improved security measures and for passwords to be eliminated as a means of identification and authentication.

“How many more major user name and password thefts do there need to be before the industry sits up and acknowledges that this is a fundamentally insecure method of security,” said Richard Parris, CEO at digital identity firm Intercede.

“Unfortunately for the consumers affected by the Dailymotion hack, it’s not just their Dailymotion accounts that are at risk. Without a doubt, there’ll be a number of customers who have recycled their passwords across numerous sites – and who can blame them? When you have 30-odd online identities, it’s unrealistic to expect consumers to create, and remember, 30 different – but complicated – passwords. It’s hard enough to remember 30 simple passwords,” he said.

According to Parris, the responsibility lies instead with businesses to reject password authentication and adopt secure alternatives.

“They are available, they are easy to implement and they offer much higher levels of security,” he said.

Read more about web application security

Emily Orton, director at security firm Darktrace, said with more than 87 million accounts compromised, the Dailymotion breach is of a significant size.

“But the larger question is – when was the attack discovered? And why are we only just hearing about this data breach now?” she said.

“If companies could see precisely what was happening on their network, in real time, then attacks such as this could be detected in their nascent stages, before they escalated into damaging data breaches. As it is, public confidence in Dailymotion’s ability to defend its customers’ data has been shaken.”

According to Ilia Kolochenko, CEO of web security firm High-Tech Bridge, an examination of the currently available information about the incident suggests that it can be linked to an insecure web application.

“The Gartner Hype Cycle for Application Security 2016 says that applications, not infrastructure, represent the main attack vector for data exfiltration. As we can see by this example, even the largest companies fail to properly protect their web applications, putting their users at great risk,” he said.

Kolochenko said users of Dailymotion should prepare for mass spear-phishing attacks. “Phishing combined with password re-use will allow cyber criminals to compromise many different accounts belonging to the victims,” he said

“The main wave may come just before or during Christmas shopping – when people are stressed and less attentive - while attackers will have enough time to carefully prepare their campaigns."

Read more about password security

Read more on Data breach incident management and recovery

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

DM CEO Saada claims in the last 2 years he has cleaned up Dailymotion site. One look at DM and you can see the site has not changed. We can see videos that have been posted up to 3 years ago.

Even with parental controls on, We can see garbage videos with nudity. Not even quality nudity, more splashed around. With bad titles.

Saada and Dailymotion claims they want to build a "quality" and "family" site.

They failed. Plus with the Hack of 85 million accounts. One thing they say is well good thing DM does not keep financial data. LIE, they have financial data on people who upload videos for profit. How can they pay them without financial data???
So complete lie on company to cover themselves
Inaddition to all that. Dailymotion has continued to copyright infringement in Russia. When Russian Media tried to contact DM, they were ignored. Now DM is banned in Russia.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close