Application Security & Online Fraud , Breach Notification , Cybercrime
Mixcloud Breach Affects 21 Million AccountsHashed Passwords, Email Addresses Leaked
Digital streaming platform Mixcloud says it's the victim of a data breach after an attacker shared personal data for registered users with several media outlets, including Vice and ZDNet. Data that the seller claims is for about 21 million users is for sale in an underground market.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
That data includes email addresses and IP addresses, the company says in a statement. Also, hashed passwords for a “minority” of Mixcloud users were exposed. The company, which is based in London, doesn’t store mailing addresses or full credit card numbers.
“We are actively investigating the incident,” the company says. “We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously.”
It wasn’t immediately clear how the attackers gained access to Mixcloud’s systems.
Mixcloud sits in a highly competitive landscape that includes Spotify and streaming services from Apple, Google and Amazon. It lets users upload their own mixes, similar to another competitor, SoundCloud, which has special appeal for DJs. According to a January 2017 story in Variety, Miscloud then had 17 million active monthly users.
Suggestion: Change Your Password
Mixcloud is recommending that users change their passwords. Most of its users, however, use single sign-on with their Facebook credentials for authentication. As a result, Mixcloud does not handle those passwords.
“Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services,” Mixcloud says.
The password hashes that were compromised were salted, Mixcloud says. Salting involves adding extra data to a hash in order to make it more resistant to cracking attempts.
"We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously."
“The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble,” Mixcloud says. “This means that they are unlikely to be decrypted by hackers.”
Password re-use is one of the reasons that breaches are so valuable for attackers. The best practice with passwords is to create a unique one for each service. That’s usually only practical for those using a password manager. Most browsers have built-in ones, while another option is a subscription to a third-party product.
Mozilla has taken a step further in Firefox. It has a password manager and also has a Monitor feature, which is integrated with the data breach notification service Have I Been Pwned. HIPB sends notification if someone’s email address turns up in a batch of leaked data. The password manager 1Password has the same feature.
Data For Sale
The data is for sale in a dark web marketplace by someone going by the nickname A_W_S, Vice and ZDNet report. Someone contacted those publications with samples of the stolen data, which appears to be legitimate, both reported. The number of affected accounts is about 21 million, the sellers say.
Vice reported the data was for sale for .5 bitcoin, which is around $3,700. A screenshot of the advertisement on the unnamed dark web marketplace posted by ZDNet showed a reduced price of $2,000.
A_W_S has posted data sets on the marketplace in the past, including for Australian company Canva, Chegg and StockX, ZDNet reported.