An unauthorized party illegally accessed systems belonging to British online audio streaming service Mixcloud and is now reportedly selling the company’s user data on the dark web.
Roughly 20 million to 22 million accounts were compromised in the November incident, according to multiple media organizations that were contacted by the malicious hacker late last week.
An online security notification that Mixcloud posted on Nov. 30 states describes the affected data as email addresses and IP addresses, as well as salted and hashed passwords for a “minority of Mixcloud users.”
The company said most of its users signed up for via Facebook authentication, in which case passwords were not stored.
“Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services,” the company advised in the notification, which was attributed to Mixcloud co-founders Nico Perez, Mat Clayton and Nikhil Shah.
Media reports listed several other data categories not referenced in the Mixcloud notification, including account sign-up dates, users’ last login dates, and countries of origin. The stolen data reportedly also contained links to profile photos.
Motherboard reported that a seller with the handle “A_W_S” data is offering for data set for a price of 0.5 bitcoins, which today is worth about $3,600.
“Any breach is unfortunate, although in this instance, it is fortunate that Mixcloud appeared to correctly secure the user passwords by hashing and salting them,” Javvad Malik, security awareness advocate at KnowBe4, said in emailed comments. “However, the breach raises some questions around how the attacker got into the system, and why… Mixcloud [was] unable to detect when the breach occurred. It highlights the importance for all companies of all sizes and verticals to look into how they deploy security controls across their people, process and technology, as well as factoring in preventative, detective and recovery measures.”