UPDATED 19:38 EST / DECEMBER 02 2019

SECURITY

21M customer records stolen from music streaming service Mixcloud

U.K.-based music streaming service Mixcloud Ltd. has been hacked, with about 21 million customer records stolen.

The hack is believed to have occurred in November and only came to light after a “dark web” seller provided a portion of the stolen data to some outlets.

The data included usernames, email addresses, signup dates and login details, including IP addresses, profile photos and encrypted passwords. The database of stolen data is currently for sale on the dark web, a shady part of the internet reachable with special software, for 0.5 bitcoin, the equivalent of $3,664.

Mixcloud confirmed the hack in a blog post Saturday, saying that it believes the data involves only a minority of users. The company noted that the passwords were encrypted with “salted cryptographic hashes to ensure that they are extremely difficult to unscramble.” As a precaution, Mixcloud advised affected users to change their passwords.

How the hack took place remains unknown. As a U.K.-based company, Mixcloud is required to comply with the European Union’s General Data Protection Regulation, so an investigation will be forthcoming. Even if the U.K. leaves the EU either later this year or early next year, the regulation is still applicable because the company has customers in Europe and hence GDPR compliance is still required.

“In terms of the alleged breach of Mixcloud, it seems that an incident has indeed occurred but its scope and impact are pretty obscure,” Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE. “I’d refrain from any determinative conclusions until Mixcloud conducts a holistic investigation including an in-depth review of their trusted third-parties for possible data breaches or leaks.”

Kolochenko said public marketplaces on the dark web become an abundant source of unverifiable data breaches.

“Using pretty simple Machine Learning models or traditional algorithms tailored to morph data in a specific manner, unscrupulous sellers often alter previously exposed data sets and advertise them as recent breaches,” he said. “Certain stolen records come from hacked third parties that process a large number of accounts and are actually advertised as a data breach affecting the main company, not its supplier. I would, however, not underplay the risks and promptly investigate every mention in the dark web to ascertain whether and when the data breach has actually occurred.”

Javvad Malik, security awareness advocate at security awareness training firm KnowBe4 Inc., noted that it’s fortunate that Mixcloud appeared to secure the user passwords correctly by hashing and salting them.

“However, the breach raises some questions around how the attacker got into the system, and why was Mixcloud unable to detect when the breach occurred,” Malik said. “It highlights the importance for all companies of all sizes and verticals to look into how they deploy security controls across their people, process and technology; as well as factoring in preventative, detective and recovery measures.”

Image: Mixcloud/Google Play

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU