Updated: Monday, 12/7 9:00 am PT: Tunecore offers an official statement on the hack (updated below).
Security breaches are sadly becoming routine these days, though hacks are suddenly spiking in the music industry. On Friday, Tunecore became the latest to suffer a breach, though the exact nature of the damage remains uncertain. Initial correspondence from CEO Scott Ackerman started late Friday night and into Saturday morning, with an official statement now released to Digital Music News:
A recent data breach may have resulted in unauthorized access to some of our customers’ personal data and account information. TuneCore takes data security very seriously, especially the security of our customers’ personal information.
TuneCore already had in place a number of security measures, including: manual review of all requests for payment, restricting access to our main website and protecting account passwords. We are actively working with law enforcement to investigate this unlawful act, and we have retained a leading cybersecurity firm to help prevent this from happening again. We are also working to further enhance our network and software security, and will continue to do so in the weeks and months ahead.
TuneCore greatly values our customers and respects the privacy of their information, any customers with additional questions can refer to this FAQ page.
The actual fallout could take weeks or months to understand, though Tunecore appears to be playing tight defense. Among the potentially stolen data are customer names, addresses, email addresses, account numbers, and passwords, according to Ackerman, though no mention of credit card numbers has been made. Unfortunately, this damage can easily ripple beyond Tunecore, with hackers using passwords to break into other accounts that employ the same login credentials.
In response, Tunecore has already invalidated passwords, and other measures are certainly being taken. Thankfully, Tunecore is giving its users the bad news in a straightforward fashion, a smart hedge against potentially more serious issues ahead. “It is possible for a determined hacker with sufficient time, using advanced computing tools, to recover those passwords,”Ackerman noted.
The unfortunate breach follows cracks at Spotify, Patreon, and Songkick in recent months, among others. In the case of Songkick, an overwhelming level of demand for Adele tickets led to some strange mishaps, including the display of other fans’ ticketing purchases. “At no time was anyone able to access another person’s password, nor their payment or credit card details (which are not retained by Songkick),” the company told the BBC.
In the other cases, the damage seems to be contained, though none of that is especially reassuring to affected users.
Cover image by Leo Grübler, licensed under Creative Commons Attribution 2.0 Generic (CC by 2.0).