Mixcloud Suffers Data Breach: 21 Million User Accounts Compromised

DJ mix sharing site, Mixcloud, is the latest to suffer from a data breach. In all, an estimated 21 million accounts have been compromised.

It’s the latest in a string of larger breaches we’ve been seeing lately. Mixcloud, a website devoted to helping DJs share mixes, is the latest site to be hit with a data breach. In all, roughly 21 million user accounts have been compromised.

From TechCrunch:

The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.

The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.

We verified a portion of the data by validating emails against the site’s sign-up feature, though Mixcloud does not require users to verify their email addresses.

Shortly after the report surfaced, reporters began seeking reaction from Mixcloud. Apparently, the service had no idea that their data had been compromised until reporters came asking. From Motherboard:

The seller, who goes by the handle “A_W_S,” is currently asking for around 0.5 bitcoins, or approximately $4,000, for the data.

Motherboard informed Mixcloud of the apparent breach. Company CTO and co-founder Mat Clayton said this was the first they had heard of the incident, and started investigating the issue.

“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems,” Mixcloud’s co-founders told Motherboard in a statement. “The majority of Mixcloud users signed up via Facebook authentication, where by default no password is stored. Mixcloud does not store data such as full credit card numbers or mailing addresses,” the statement added.

“We have no reason to believe that any passwords have been compromised. However you may want to change yours especially if you have been using the same one across multiple services,” Mixcloud suggested in its statement.

This is definitely a good news, bad news scenario. The good news is that the passwords were hashed. As a result, this buys users time to reset their passwords. The bad news is that the breach took place and it went completely undetected by staff. This suggests under the hood improvements are badly needed to detect such intrusions in the first place.

The larger numbers have been a bit of a theme lately. Last month, we reported on how the Desjardins data breach worsened to include the companies entire customer base of 4.2 million people. After that, researchers uncovered a massive data leak which affected 1.2 billion “enriched” accounts. Finally, yesterday, we reported on the T-Mobile data breach which saw a comparatively minor 1 million customers compromised. One thing is for sure, although we haven’t been able to report on as many security incidences lately, what we are able to cover seems to affect much larger volumes of accounts.

Drew Wilson on Twitter: @icecube85 and Facebook.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.