Published on July 1st, 2017📅| 0
Streaming Music Site 8tracks Hacked, 18 Million Accounts Stolen
Streaming music and social media website 8track suffered a data breach that resulted in more than 18 million user account credentials being stolen, the company disclosed this week.
Accounts included in the breach date back as far as 2008. While basic user information like email address and password were compromised, it is not believed other personally revealing information was caught in the breach.
In a blog post announcing the breach, 8tracks made it a point to note that users who login to their account through a third-party authorization such as Google or Facebook are safe; their login process is handled through other channels and their passwords were not stored by 8tracks.
The company also noted that its passwords were not stored in plaintext but were rather were protected by a hashing algorithm. In other words, the passwords were encrypted in a way that is designed to make the passwords more difficult to access. 8tracks also used a random salt, which adds additional protection against potential decryption by including random characters to the password.
While passwords associated with 8track accounts may be encrypted, they were hashed using the SHA-1 algorithm—an encryption method that has been made essentially obsolete and is no longer recommended for security purposes.
Google successfully cracked the SHA-1 algorithm earlier this year and there have been other instances where the hashing methods has been cracked to reveal passwords, including the 2016 breach of LinkedIn.
According to 8tracks, the attack occurred after a company employee’s Github account was compromised. The account did not have two-step authentication activated. 8tracks said its security experts have found what they believe to be the method of attack and have taken action to patch the problem and secure the database.
It’s just the latest incident in which an employee’s account has been compromised and led to a wider breach. Earlier this year, a similar occurrence resulted in 17 million passwords being stolen from a database for restaurant search and discovery site Zomato.
The company also noted it does not store sensitive customer data such as credit card numbers, phone numbers or street addresses, so no personally identifiable information beyond email address and password has been exposed.
In response to the breach, the company said it has secured the compromised employee account, changed passwords for its storage systems and added access logging to our backup system. 8tracks is also auditing its security practices and will begin to require two-step authentication on Github and improve password encryption.
8tracks is advising its users to change their password and is encouraging all users to use extra security steps like two-step authentication and password managers that securely store passwords for multiple sites and services.
For any user who uses the same password on 8tracks as they do on another service, it is important to change passwords on those services as well. Database leaks are easily be cross-referenced and a hacker can access multiple accounts just by finding a single password.