Millions of Dailymotion user accounts have reportedly been hacked by an unknown hacker. Over 85 million users' email addresses, usernames and passwords of one of the largest video sharing platforms on the internet are believed to have been exposed by the hack, according to reports.
According to breach notification site LeakedSource, which claimed to have acquired the data, the hack likely occurred on 20 October, indicating that the stolen data may have been in circulation on underground forums.
Of the 85.2 million compromised accounts, roughly 18 million were found to have been scrambled with bcrypt hashing, ZDNet reported. Given that hashed passwords are generally more difficult to crack, it is likely that the accounts compromised may have an additional layer of protection against hackers attempting to infiltrate them.
Ilia Kolochenko, CEO of web security firm High-Tech Bridge told IBTimes UK: "By examining currently available information about the incident, we can suggest that an insecure web application was probably at the origins of the breach. As we can see by this example, even the largest companies fail to properly protect their web applications, putting their users at great risk.
"We should expect and prepare ourselves for mass spear-phishing attacks combined with password re-use, which will allow cybercriminals to compromise many different accounts belonging to the victims. The main wave may come just before or during Christmas shopping – when people are stressed and less attentive, while attackers will have enough time to carefully prepare their campaigns."
A sample of the compromised data reviewed by ZDNet has been verified, by matching up plaintext passwords with hashed passwords, against email addresses. LeakedSource, which generally cracks passwords from leaked data dumps, does not intend to do so this time, thanks to the strength of the hashing algorithm applied on some of the compromised passwords.
"It would be a waste of resources for us to crack them, so we typically don't bother," a LeakedSource spokesperson told Bleeping Computer. "A determined hacker who wants to crack one person's hash may still be able to."
Dailymotion is yet to make any comments on the cyberattack. It is unclear as to how the hacker gained access to user accounts. It is also unknown as to whether users had been notified of the data breach.
The data breach follows a recent slew of similar high-profile hacks, sustained by firms such as adult dating site Friend Finder, Weebly and Deliveroo.