Hackers accessed 8tracks's user database and pilfered information, including email addresses and encrypted passwords, from at least 18 million accounts signed up for the Internet radio service using email.
“If you signed up via Google or Facebook authentication, then your password is not affected by this leak,” according to a Tuesday blog post on the company's website. “8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.”
The company said it also believed it had uncovered the method of attack, through “an employee's Github account, which was not secured using two-factor authentication,” and had “taken precautions to ensure our databases are secure.”
8tracks became aware of the hack after being alerted “by an unauthorized password change attempt via Github.” The company verified the breach after reviewing data from both journalists and security firm LeakBase.
The company doesn't believe access was gained “to database or production servers, which are secured by public/private SSH-key pairs,” the company wrote. “However, it did allow access to a system containing a backup of database tables, including this user data.”
In addition to securing the account used to facilitate the breach, it had “changed passwords for our storage systems, and added access logging to our backup system,” 8tracks said. “We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.”