U.K.-based music streaming service Mixcloud Ltd. has been hacked, with about 21 million customer records stolen.

The hack is believed to have occurred in November and only came to light after a “dark web” seller provided a portion of the stolen data to some outlets.

The data included usernames, email addresses, signup dates and login details, including IP addresses, profile photos and encrypted passwords. The database of stolen data is currently for sale on the dark web, a shady part of the internet reachable with special software, for 0.5 bitcoin, the equivalent of $3,664.

Mixcloud confirmed the hack in a blog post Saturday, saying that it believes the data involves only a minority of users. The company noted that the passwords were encrypted with “salted cryptographic hashes to ensure that they are extremely difficult to unscramble.” As a precaution, Mixcloud advised affected users to change their passwords.

How the hack took place remains unknown. As a U.K.-based company, Mixcloud is required to comply with the European Union’s General Data Protection Regulation, so an investigation will be forthcoming. Even if the U.K. leaves the EU either later this year or early next year, the regulation is still applicable because the company has customers in Europe and hence GDPR compliance is still required.

“In terms of the alleged breach of Mixcloud, it seems that an incident has indeed occurred but its scope and impact are pretty obscure,” Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE. “I’d refrain from any determinative conclusions until Mixcloud conducts a holistic investigation including an in-depth review of their trusted third-parties for possible data breaches or leaks.”

Kolochenko said public marketplaces on the dark web become an abundant source of unverifiable data breaches.

“Using pretty simple Machine Learning models or traditional algorithms tailored to morph data in a specific manner, unscrupulous sellers often alter previously exposed data sets and advertise them as recent breaches,” he said. “Certain stolen records come from hacked third parties that process a large number of accounts and are actually advertised as a data breach affecting the main company, not its supplier. I would, however, not underplay the risks and promptly investigate every mention in the dark web to ascertain whether and when the data breach has actually occurred.”

Javvad Malik, security awareness advocate at security awareness training firm KnowBe4 Inc., noted that it’s fortunate that Mixcloud appeared to secure the user passwords correctly by hashing and salting them.

“However, the breach raises some questions around how the attacker got into the system, and why was Mixcloud unable to detect when the breach occurred,” Malik said. “It highlights the importance for all companies of all sizes and verticals to look into how they deploy security controls across their people, process and technology; as well as factoring in preventative, detective and recovery measures.”

Image: Mixcloud/Google Play