A hacker has breached online music streaming service Mixcloud earlier this month and is now selling the site’s user data online, on a dark web marketplace.
The hack came to light on Friday, when the hacker contacted several journalists to share news of the breach and to provide data samples, including to ZDNet.
According to a sample of the stolen data, the hacker is selling Mixcloud user information that includes details such as usernames, email addresses, hashed password strings, users’ country of origin, registration dates, last login dates, and IP addresses.
The breach appears to have taken place on or before November 13, which is the registration date for the last user profile included in the data dump.
ZDNet emailed several users whose data was included in the sample we received, and several have confirmed they had recently registered a Mixcloud account. Tech news sites TechCrunch and Motherboard also verified the data authenticity through other means, as well.
Mixcloud confirmed the breach in a blog post on Saturday.
The company said that most users had signed up through Facebook, and did not have a password associated with their account.
For those that did, Mixcloud said that passwords should be safe, as each one was salted and passed through a strong hashing function (SHA256 algorithm, according to the sample we received), making it currently impossible to reverse back to its cleartext form.
Either way, the company recommended that users reset passwords, just to be safe.
This means that the data advertised on the dark web right now is just a long list of email addresses and uncrackable passwords. The Mixcloud data is currently sold for a price of $2,000.
The hacker behind the Mixcloud breach goes by the name of A_W_S and has been involved in other hacks together with another hacker known as Gnosticplayers.
He previously claimed responsibility in August for hacking Canva (137 million users), Chegg (40 million), Poshmark (36 million), PromoFarma (26 million), RoadTrippers (25 million), StockX (6.8 million), StorEnvy (23 million), and Wirecard Brazil (48 million).
When ZDNet asked for proof of the breaches, he only provided user data samples for four — namely Canva, Chegg, PromoFarma, and RoadTrippers.
Update on this: I’ve asked the hacker for proof or samples of the hacked data. Two days later, he only provided samples for four sites (Canva, Chegg, PromoFarma, and RoadTrippers). So, at the moment, it’s unclear if he has data on all sites. Might be a scam. 🙄
— Catalin Cimpanu (@campuscodi) August 5, 2019
Only Canva, Chegg, and StockX publicly acknowledged the breaches. The other five companies did not return a request for comment from ZDNet, sent back in August.
This data, too, had been put up for sale online, on August 5, earlier this year.