Cyber Security Center

Music streaming service Mixcloud suffers data breach affecting 21 million users


Data of 21 million Mixcloud users put up for sale on a dark web marketplace.

 

Screenshot (108)

On 29 November, a hacker contacted several journalists to inform them about a data breach involving the British music streaming service Mixcloud. The hacker claimed to have breached the streaming service and stolen data of 21 million users, which is now for sale on a dark web marketplace. Mixcloud later confirmed the breach.

According to technology website ZDNet, who were sent samples of the data, the stolen information includes usernames, email addresses, hashed password strings, country, registration dates, last login dates, and IP addresses. They were able to verify the data by contacting several users whose data was part of the data samples.

The streaming service notes that a large amount of Mixcloud users signed up via Facebook authentication, which means that the company did not store their passwords.

“Our understanding at this time is that the incident involves email addresses, IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords,” Mixcloud co-founders said in the blog post.

They also claim to not store full credit card numbers or mailing addresses, meaning that the data could not have been stolen. Furthermore, the passwords that Mixcloud stores are encrypted with salted cryptographic hashes, which means that they are essentially impossible to decrypt, and are useless to those looking to buy the data. While Mixcloud does not believe any passwords have been compromised, they still suggest users change them as a precaution.

The exact number of affected accounts is not known, though the hacker has put up 21 million records for sale on the dark web marketplace. The accounts are being sold for 0.5 Bitcoin, which is around $3660 at the time of writing.

The statement informing users about the breach did not mention whether appropriate authorities have been contacted, or how the breach happened in the first place. Mixcloud is a London-based company, which means they are subject to UK and European data protection laws. Violating Europe’s GDPR (General Data Protection Regulation) laws could lead to a fine of 20 million, or up to 4% of the company’s annual turnover.

The hacker that put the Mixcloud data up for sale has previously claimed responsibility for numerous data breaches, including StockX. The company initially denied suffering a data breach incident but later admitted to being hacked, which resulted in 6.8 million exposed user accounts.