Internet radio service 8tracks was hacked this week and personal details associated with a reported 18 million user accounts compromised.
In a blog post, the firm’s founder and CEO, David Porter, claimed that no financial data, phone numbers or postal addresses were exposed, but email addresses and encrypted passwords were.
“Passwords on 8tracks are hashed and salted, meaning that even we can’t tell you what your password is by looking at the database,” he continued.
“Although the decryption of one particular user’s password through brute-force techniques is unlikely, we recommend that users change their password on 8tracks and any sites on which they may have used the same password to ensure their personal security.”
Likening the breach to similar incidents affecting LinkedIn, Dropbox, Tumblr and MySpace, Porter urged users not to reuse passwords across different online accounts and recommended using 2FA and password managers to improve access security.
The firm’s user database is thought to have been breached thanks to a lack of 2FA on an employee’s GitHub account. An unauthorized password change then raised the alarm.
“We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data,” explained Porter.
“We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on GitHub, to limit access to repositories, and to improve our password encryption.”
Those who signed up via Google or Facebook authentication will apparently not have had their passwords compromised.
Ryan Wilk, vice-president at NuData Security, argued that the responsibility for access controls should rest with online providers.
“Site owners need to evaluate a multi-layer authentication framework that can leverage the user’s natural behaviors combined with behavior analytics and passive biometrics to give companies the optimum chance of verifying actual users,” he added.
“While hackers will continue to steal passwords and credentials to commit fraud or steal money, they are not able to replicate behavior."