Maksim Kabakou - Fotolia

Dailymotion breach prompts calls for password alternatives

The latest breach of millions of user details prompts fresh calls for better security of user data and an alternative to passwords

A breach at French video sharing website Dailymotion that exposed more than 87.5 million user accounts has prompted fresh calls for an alternative to passwords.

According to breach notification site LeakedSource, the breach took place on 20 October 2016 and exposed details including user names, email addresses and passwords protected with the Bcrypt hashing algorithm, but Dailymotion denies that personal data has been compromised.

“It has come to our attention that a potential security risk, coming from outside Dailymotion, may have comprised the passwords for a certain number of accounts,” the company said in a blog post.

“The hack appears to be limited, and no personal data has been comprised. Your account security is extremely important to us and, to be on the safe side, we are strongly advising all of our partners and users to reset their passwords,” said Dailymotion.

News of the breach comes just three weeks after LeakedSource reported that user details of more than 412 million accounts had been exposed in a data breach at FriendFinder Networks, once again highlighting the poor password practices and poor security around user data.

News of the Dailymotion breach prompted fresh calls for improved security measures and for passwords to be eliminated as a means of identification and authentication.

“How many more major user name and password thefts do there need to be before the industry sits up and acknowledges that this is a fundamentally insecure method of security,” said Richard Parris, CEO at digital identity firm Intercede.

“Unfortunately for the consumers affected by the Dailymotion hack, it’s not just their Dailymotion accounts that are at risk. Without a doubt, there’ll be a number of customers who have recycled their passwords across numerous sites – and who can blame them? When you have 30-odd online identities, it’s unrealistic to expect consumers to create, and remember, 30 different – but complicated – passwords. It’s hard enough to remember 30 simple passwords,” he said.

According to Parris, the responsibility lies instead with businesses to reject password authentication and adopt secure alternatives.

“They are available, they are easy to implement and they offer much higher levels of security,” he said.

Read more about web application security

  • Four out of five applications written in popular web scripting languages contain at least one of the critical risks in an industry-standard security benchmark, according to a report from Veracode.
  • Some consultants find web application firewall products don’t deliver due to poor deployment strategies and a lack of skilled maintenance.
  • The threat landscape and increase of web app attacks forces security teams to tackle web app security through secure software development.

Emily Orton, director at security firm Darktrace, said with more than 87 million accounts compromised, the Dailymotion breach is of a significant size.

“But the larger question is – when was the attack discovered? And why are we only just hearing about this data breach now?” she said.

“If companies could see precisely what was happening on their network, in real time, then attacks such as this could be detected in their nascent stages, before they escalated into damaging data breaches. As it is, public confidence in Dailymotion’s ability to defend its customers’ data has been shaken.”

According to Ilia Kolochenko, CEO of web security firm High-Tech Bridge, an examination of the currently available information about the incident suggests that it can be linked to an insecure web application.

“The Gartner Hype Cycle for Application Security 2016 says that applications, not infrastructure, represent the main attack vector for data exfiltration. As we can see by this example, even the largest companies fail to properly protect their web applications, putting their users at great risk,” he said.

Kolochenko said users of Dailymotion should prepare for mass spear-phishing attacks. “Phishing combined with password re-use will allow cyber criminals to compromise many different accounts belonging to the victims,” he said

“The main wave may come just before or during Christmas shopping – when people are stressed and less attentive - while attackers will have enough time to carefully prepare their campaigns."

Read more about password security

Read more on Data breach incident management and recovery