British streaming service Mixcloud has been hacked and the personal data of tens of millions of users put up for sale on the dark web, it has emerged.
The service issued a brief statement on Saturday confirming the incident.
“We received credible reports this evening that hackers sought and gained unauthorized access to some of our systems,” it noted.
“Our understanding at this time is that the incident involves email addresses, IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.”
One saving grace is that the firm doesn’t store full credit card details, or mailing addresses.
Another is that the encryption used for those who had signed up with passwords rather than Facebook authentication is SHA-2, a set of NSA-designed cryptographic hash functions which are thought to be almost impossible to crack.
Although Mixcloud hasn’t revealed the true scale of the attack, the alleged hacker told various news sources that the trove contained details of at least 20 million customers, which they have put up for sale on the dark web for 0.5 Bitcoin ($3650).
“Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services,” the firm concluded.
Users should also be on the lookout for follow-on phishing attempts as fraudsters use their breached personal information to craft convincing-looking scam emails designed to elicit more info.
It’s unclear whether the breach came as a result of deficient internal security policies, but given Mixcloud is a UK-based company, the Information Commissioner’s Office (ICO) will be keen to take a look.
The number of global breaches (+54%) and exposed records (52%) both grew significantly from the first half of 2018 to the first six months of this year, according to Risk Based Security.