Cyber Incident Victim: Dailymotion

On January 19, 2019, video-sharing platform DailyMotion experienced a credential stuffing attack, as disclosed in a January 27 announcement. Credential stuffing involves attackers using username and password combinations leaked from other websites to gain unauthorized access to accounts on unrelated platforms. The company's security team detected the intrusion during the attack's active phase and implemented immediate countermeasures to block further unauthorized access attempts. DailyMotion confirmed that the attackers successfully compromised a limited number of user accounts during this incident, though the exact number of affected accounts was not specified in their communications. The attack window was confined to the initial discovery date of January 19, with no evidence suggesting prolonged unauthorized access beyond this timeframe.

In response, DailyMotion initiated password resets for all impacted accounts beginning January 20, forcibly logging out affected users from their sessions as a containment measure. The company distributed notification emails containing password reset links to compromised account holders, enabling them to regain control of their profiles. As part of regulatory compliance obligations under the European Union's General Data Protection Regulation (GDPR), DailyMotion formally reported the security incident to France's data protection authority, the Commission nationale de l'informatique et des libertés (CNIL). The company characterized its technical response as having taken "all necessary steps" to terminate the attack, though specific security controls or system modifications implemented were not detailed in public statements. No evidence emerged suggesting theft of user data beyond account access itself, with the primary impact being temporary loss of account control for affected subscribers.