Mixcloud, an online music streaming service provider, was recently compromised by a hacker that tried to sell stolen data of more than 20 million users on the dark web marketplace.
The incident came to light after the hacker, who goes by an online name “AWS” contacted multiple media firms to reveal the attacks and provided stolen data samples as a proof of the breach.
According to reports, the attacker accessed users’ data, including usernames, email addresses, account sign-up dates, SHA-2 hashed passwords, registration dates, IP addresses, and links to profile photos. It’s said that the hacker kept the data dump for sale for around US$ 2,000.
Mixcloud said that most users had signed up to their services via Facebook credentials and did not have a separate password to their Mixcloud account. For users who have separate passwords for their Mixcloud accounts, the company said that their passwords should be safe, as they were salted and passed through a strong hashing function (SHA256 algorithm), making it difficult to decode. However, Mixcloud urged its users to reset their passwords to be on the safe side.
“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems,” the company said in a statement. “We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously.”
“Our understanding at this time is that the incident involves email addresses, IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords,” the statement added.