Mixcloud users’ emails, hashed passwords and usernames are now being sold on the underground forums
Music Streaming platform Mixcloud suffered a data breach that affects around 21 million users worldwide. The UK-based company started the investigation and published a security notice on its blog as soon as major tech websites like ZDNet, Motherboard, and Tech Crunch were contacted by the hacker who provided a portion of the stolen data.
According to several publications, Mixcloud data breach became evident on Friday, when a hacker under the pseudonym A_W_S contacted several news outlets. The actor is related to a well-known data thief Gnosticplayers – he previously stole around 930 million records from 44 high-profile companies.[1] The unauthorized access occurred in the first half of November, and Mixcloud did not spot the intrusion prior to being contacted by investigative journalists:[2]
We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems.
While it is yet unknown how the hacker managed to compromise the system and access the information, it is currently confirmed that 21 million entries are being sold on the dark web, and information includes users’ email addresses, usernames, IP addresses, country of origin, login and registration dates, as well as hashed passwords.
Mixcloud stores passwords hashed with secure algorithm
ZDNet and other contacted outlets were able to confirm hacker’s claims via various methods. Some tried to create new Mixcloud accounts by using usernames that correlate to the emails provided while others contacted the affected users. Both methods verified that the breach is real, so Mixcloud was immediately informed, which prompted an immediate investigation. The data dump ends on November 13, which is believed to be the date of the intrusion.
Although users’ passwords were also leaked, Mixcloud uses adequate protection measures to prevent direct exposure in the case of a data breach. The audio streaming service confirmed that passwords are encrypted with an advanced SHA-2 encryption algorithm, making unscrambling of those an almost impossible task. On the other hand, there were multiple data breaches that involved customer passwords being stored with SHA-1, a far less secure hashing mechanism (MyFitnessPal, Flipboard, Hostinger,[3] Zynga, etc.).
Mixcloud also said that most of the users used Facebook to log in to the service, which does not require them to create a password – it is simply not stored anywhere by the company:[4]
The majority of Mixcloud users signed up via Facebook authentication, where by default no password is stored. Mixcloud does not store data such as full credit card numbers or mailing addresses.
A_W_S claims to be involved in multiple other hacks
According to ZDNet,[5], the hacker A_W_S is selling the stolen Mixcloud information on the Dark Web for $2,000, while other sources claim that he is asking for 0.5 Bitcoin (or $4,000) for the same data. There is a possibility that the malicious actor uses several listings on different websites, asking for different sums of money.
A_W_S claims to be involved in multiple other hacks which involved the following companies:
- Canva – 137mil
- Chegg – 40mil
- Poshmark – 36mil
- PromoFarma – 26mil
- RoadTrippers – 25mil
- StockX – 6.8mil
- StorEnvy – 23mil
- Wirecard (Brazil) – 48mil
Nevertheless, he only provided evidence samples from Canva, Chegg, PromoFarma, and RoadTrippers. All the listings are presented on the underground forums and are being sold for different prices.
If you had Mixcloud account created and did not login via Facebook, you are still advised to reset your password as soon as possible – especially if you use the same password on multiple websites. Additionally, you should also watch out for your inbox and expect targeted scam/phishing emails coming your way.