The data breach is the harsh reality of the information world, and every now and then, cases of a breach in data have become more and more rampant. In the series of data breaches, the Mixcloud data breach comes as the latest one among high-profile mass breach cases in the recent couple of months.
This case of data breach is from Mixcloud, which is a U.K. based audio streaming service, where users can upload their own tracks and DJ mixes. In the case that has come to surface, it is said to have occurred somewhere in early November. A dark web seller supplied a part of the leaked data to TechCrunch to have the authenticity and validity of the data verified.
The services were reportedly hacked, and that has let the data of around 22 million of its users bare and exposed. What is even more cunning is the fact that all the hacked data has been put on sale on the Dark Web. Hackers are known to carry this additional act of defiance to prove their hacked data’s authenticity.
However, the exact amount of data hacked could not be known until now. According to the data seller, there were as many as 20 million records. But the listing on Dark Web shows about 21 million records over the dark web.
On its website, under a security notice that goes by the title, “Mixcloud Security Notice” published on 30 Nov. 2019, the notice cum blog states: “We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems. Our understanding at this time is that the incident involves email and IP addresses for all Mixcloud users; and securely encrypted passwords for a minority of Mixcloud users.”
The company has maintained that a majority of Mixcloud users sign up through the popular route of Facebook authentication, and in that case, by default, passwords are not stored.
Whittaker from TechCrunch reported that after sampling unique values in the data set, they could arrive at the conclusion that there could be as many as 22 million records. Reportedly, all the data has been put on sale for $ 4,000 or about 0.5 bitcoin by the seller, who goes by the name of the handle “A_W_S”.
Earlier this year, the same data seller from Dark Web had alerted TechCrunch about the StockX breach, which happened to be a shoe and apparel company and is a billion-dollar marketplace. The company had later admitted it was hacked, which laid about 4 million records in its storage, exposed.
TechCrunch reportedly had procured a portion of the leaked data. A_W_S provided Motherboard with a chunk of the hacked data sample, which amounts to 1,000 Mixcloud accounts. The data included hashed passwords, which is a method of encryption so that passwords are secured much strongly.
With all the data obtained, Motherboard, in a bid to verify the validity of hacking claims, tried making accounts with the email addresses of the sample. No new account could be made. This indicated that all addresses were already linked to their respective accounts in Mixcloud.
In cases of a breach in data, companies have to inform the same to the regulators under U.S. state and EU data breach notification laws. In Mixcloud’s case, however, Mixcloud spokesperson Lisa Roolant did not comment in affirmative on the validity of the hacking claims. She declined Mixcloud storing any data like credit card numbers and email addresses.
“The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble. This means that they are unlikely to be decrypted by hackers. We have no reason to believe that any passwords have been compromised. However you may want to change yours especially if you have been using the same one across multiple services.”
It is visible enough how the company has put on a denial mode over the reported compromise of its security and the massive data breach. However, if there is one thing the users of the company could be thankful for, it is the strong encrypted passwords.
Mixcloud data that was hacked is believed to include email addresses, usernames, links to users’ profile photos, their device’s IP addresses, and encrypted passwords, which are difficult to decrypt, though.
Mixcloud, which is based in London, may have to face fines according to the U.K. and European data protection rules. The rules say that the companies could be fined for up to 4% of their annual turnover, which roughly translates to £ 20 million. The amount fined pertains to the violations of European GDPR Rules.