DailyMotion hit by a credential stuffing attack impacting a limited number of user accounts

• Attackers hit DailyMotion with a credential stuffing attack, thereby gaining access to a limited number of accounts.
• DailyMotion has notified its potentially affected users on the incident and has asked them to reset their passwords.

DailyMotion is a video sharing platform which is available worldwide in 18 languages. It is one of the most visited sites on the internet with a rank of #134 on the Alexa traffic ranking. The video sharing platform announced on January 25, 2019, that it has been hit by a credential stuffing attack.

Credential stuffing attack is a type of cyber attack where attackers use a combination of usernames and passwords that have been stolen from other online sites where the credentials have been exposed. Attackers use the stolen credentials to gain unauthorized access on users accounts.

What was the immediate action taken?

DailyMotion learned about the incident from its security team who discovered the attack.

• Upon learning the incident, DailyMotion took necessary measures to stop the attack.
• The company has notified the CNIL (Commission nationale de l'informatique et des libertés) on the incident as per the new GDPR legislation.
• The Video-sharing platform has been logging off user accounts and resetting passwords of those users who have been potentially affected by the attack.
• The company has also notified the potentially affected users via email and have requested them to reset their passwords.

Contents of the email

The notification read that DailyMotion suffered a credential stuffing attack which started on January 19, 2019. In the notification, DailyMotion confirmed that the attack has been successful in some cases, with attackers gaining access to a limited number of accounts.

The company also notified that its security team has taken necessary action to block the attack.

The notification email sent to impacted users also contained a link for users to reset their passwords and regain control of their account, ZDNet reported.