21M customer records stolen from music streaming service Mixcloud
U.K.-based music streaming service Mixcloud Ltd. has been hacked, with about 21 million customer records stolen.
The data included usernames, email addresses, signup dates and login details, including IP addresses, profile photos and encrypted passwords. The database of stolen data is currently for sale on the dark web, a shady part of the internet reachable with special software, for 0.5 bitcoin, the equivalent of $3,664.
Mixcloud confirmed the hack in a blog post Saturday, saying that it believes the data involves only a minority of users. The company noted that the passwords were encrypted with “salted cryptographic hashes to ensure that they are extremely difficult to unscramble.” As a precaution, Mixcloud advised affected users to change their passwords.
How the hack took place remains unknown. As a U.K.-based company, Mixcloud is required to comply with the European Union’s General Data Protection Regulation, so an investigation will be forthcoming. Even if the U.K. leaves the EU either later this year or early next year, the regulation is still applicable because the company has customers in Europe and hence GDPR compliance is still required.
“In terms of the alleged breach of Mixcloud, it seems that an incident has indeed occurred but its scope and impact are pretty obscure,” Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE. “I’d refrain from any determinative conclusions until Mixcloud conducts a holistic investigation including an in-depth review of their trusted third-parties for possible data breaches or leaks.”
Kolochenko said public marketplaces on the dark web become an abundant source of unverifiable data breaches.
“Using pretty simple Machine Learning models or traditional algorithms tailored to morph data in a specific manner, unscrupulous sellers often alter previously exposed data sets and advertise them as recent breaches,” he said. “Certain stolen records come from hacked third parties that process a large number of accounts and are actually advertised as a data breach affecting the main company, not its supplier. I would, however, not underplay the risks and promptly investigate every mention in the dark web to ascertain whether and when the data breach has actually occurred.”
Javvad Malik, security awareness advocate at security awareness training firm KnowBe4 Inc., noted that it’s fortunate that Mixcloud appeared to secure the user passwords correctly by hashing and salting them.
“However, the breach raises some questions around how the attacker got into the system, and why was Mixcloud unable to detect when the breach occurred,” Malik said. “It highlights the importance for all companies of all sizes and verticals to look into how they deploy security controls across their people, process and technology; as well as factoring in preventative, detective and recovery measures.”
Image: Mixcloud/Google Play
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.