- Mixcloud suffered an undisclosed data breach earlier in the month, and the stolen data is now for sale.
- The seller lists usernames, email addresses, IP addresses, and hashed passwords that are hard to crack.
- Mixcloud says there’s no reason to worry about anything, but twenty million people had their PII exposed.
According to a report by TechCrunch, there’s a new data dump that is for sale on the dark web right now, and it looks like it’s coming from a breach that occurred on the Mixcloud audio streaming platform. Mixcloud is a very popular UK-based music streaming service that was launched over a decade ago, offering a wide range of radio shows, DJ mixes, podcasts, and songs. As it seems, the platform has suffered a data breach earlier in the month but hasn’t disclosed it to the public.
Mixcloud may have not realized the breach, or they may have decided to keep it a secret until their internal investigation was concluded. Whatever the case, the dump is for sale right now, and the fact that there’s nothing on the audio streaming website to inform the users of the fact isn’t positive in any way we see it. The data that is for sale contains usernames, email addresses, IP addresses, links to profile photos, countries, and passwords that have been scrambled with the SHA-2 algorithm. This last detail provides some comfort to the exposed users, as the SHA-2 is a cryptographic hash function that is currently considered safe.
TechCrunch tested some of the data that is for sale and verified its authenticity. The price tag for this dump is 0.5 Bitcoin, or about $4000. This corresponds to a minuscule amount per account, as the data isn’t very valuable without cleartext passwords. However, the exposed users could still fall victim to phishing attacks or other scamming attempts. That said, we suggest that you should reset your password on the platform now, but take note that this won’t eliminate the risks that you are already running as a result of this incident.
As for Mixcloud, the UK is still part of Europe, and thus the GDPR regulations still apply for the company. That said, they are very likely to be fined up to 4% of their annual turnover for this data breach. In the meantime, it would be good to have a more in-depth official announcement, explaining what happened, and also to send data breach notifications to the affected users. As a Mixcloud user myself, I can confirm that nothing has been circulated yet.