Hackers have managed to breach Mixcloud and expose over 20 million user data accounts. Mixcloud confirmed the breach over the Thanksgiving weekend.
The Mixcloud breach was first revealed after the data went up for sale on the dark web. A correspondent with Motherboard was able to confirm the authenticity of the data. The seller is asking for 0.5 bitcoins or around $4,000 for the data.
Data stolen includes usernames, email addresses, and passwords for user accounts. The passwords were hashed and salted using the SHA-2 algorithm.
That algorithm was perfected by the NSA and an effective attack has yet to be found. (The keyword there is ‘yet’.) Additional data included account sign-up dates, last-login dates, and the users’ country and IP addresses.
Motherboard says they verified the emails using the site’s sign-up feature. The seller provided 1,000 mixed samples of the data for verification. Mixcloud later responded to the report, verifying the breach.
Mixcloud does not store data such as full credit card numbers or mailing addresses. The service says it has no reason to believe passwords were compromised. However, if you have a Mixcloud account you should probably change your password.
Mixcloud says most users sign up using the Facebook authentication method, which requires no default password. The dark web seller confirmed the data was obtained in a breach that happened this year.
“We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. Mixcloud understands this is frustrating and upsetting to hear, and we take the trust you put in us very seriously.”
Mixcloud lets DJs upload their own mixes and tracks for others to listen to. The service has both a free and premium subscription service offering; earlier, the company noted that advertising doesn’t pay the bills. The company boosted its annual revenue by 45% last year, but losses tripled on rising royalty fees.