Mixcloud Investigating Alleged Data Breach Impacting 21 Million Users
November 29, 2019A data reseller is advertising an alleged 21 million user accounts stolen from music streaming site Mixcloud on the dark web.
The seller, who goes by the handle "A_W_S," is currently asking for around 0.5 bitcoins, or approximately $4,000, for the data.
Motherboard informed Mixcloud of the apparent breach. Company CTO and co-founder Mat Clayton said this was the first they had heard of the incident, and started investigating the issue.
"We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems," Mixcloud's co-founders told Motherboard in a statement. "The majority of Mixcloud users signed up via Facebook authentication, where by default no password is stored. Mixcloud does not store data such as full credit card numbers or mailing addresses," the statement added.
Mixcloud lets users upload their own DJ mixes and tracks for others to listen to. In July the company launched a "Premium" subscription service and limited features for free users. In 2017, the company said it had over 17 million users.
A_W_S provided Motherboard with a sample of 1,000 Mixcloud accounts. The data includes usernames, email addresses, and hashed passwords. Hashing is a way of scrambling passwords so they can be stored more securely; Mixcloud is using a robust method for generating these hashes, according to the data. A_W_S said the data was obtained in late 2019.
To verify the data, Motherboard took a random selection of the email addresses and tried to create accounts on Mixcloud with them. In all of the cases this was not possible as the addresses were already linked to Mixcloud accounts, corroborating the data's legitimacy.
"We have no reason to believe that any passwords have been compromised. However you may want to change yours especially if you have been using the same one across multiple services," Mixcloud suggested in its statement.
"We are actively investigating this incident. We apologize to those affected and are sorry that this has happened," it added.
Update: This piece has been updated to clarify Mixcloud's hashing method and add comment from Mixcloud.
Subscribe to our cybersecurity podcast, CYBER.