The popular video website Daily Motion has warned it’s users on Friday that it was the victim of what is known as a ‘Credential Stuffing’ attack and has advised some users to reset their passwords. But what is a Credential Stuffing attack and what are the impacts?
Essentially, Credential Stuffing involves testing a list of usernames and passwords across different sites to see if any of those combinations are valid. So, for example, an attacker might have a username of ‘Gerry123’ and a password of ‘P@$$word1’ (that’s a terrible password by the way, so please don’t use it) and then try that combination on Facebook, Twitter, Instagram, all the different banks to see if they can log in. The hope is that the username and password combination have been reused at least once if not more.
In the case of Daily Motion (and Reddit who also suffered a similar attack earlier in the month), it would appear that an attacker has managed to get hold of a large list of usernames and passwords and has been trying each of these to see if there are any credentials that are valid. Once the attacker gains access to an account, they will then use an account checker to see where else that combination has been used.
This is why it is vital that each service that you use on the internet has a unique password. By ensuring that all of your passwords are different, even if one is breached then it will only be one account that is compromised rather than multiple accounts.
- Gerry Grant, Chief Ethical Hacker
For more information and advice, please message us on our website or contact firstname.lastname@example.org