Breach, Threat Management, Data Security

Data breach reportedly affects over 20M users of Mixcloud streaming service

An unauthorized party illegally accessed systems belonging to British online audio streaming service Mixcloud and is now reportedly selling the company's user data on the dark web.

Roughly 20 million to 22 million accounts were compromised in the November incident, according to multiple media organizations that were contacted by the malicious hacker late last week.

An online security notification that Mixcloud posted on Nov. 30 states describes the affected data as email addresses and IP addresses, as well as salted and hashed passwords for a "minority of Mixcloud users."

The company said most of its users signed up for via Facebook authentication, in which case passwords were not stored.

"Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services," the company advised in the notification, which was attributed to Mixcloud co-founders Nico Perez, Mat Clayton and Nikhil Shah.

Media reports listed several other data categories not referenced in the Mixcloud notification, including account sign-up dates, users' last login dates, and countries of origin. The stolen data reportedly also contained links to profile photos.

Motherboard reported that a seller with the handle "A_W_S" data is offering for data set for a price of 0.5 bitcoins, which today is worth about $3,600.

"Any breach is unfortunate, although in this instance, it is fortunate that Mixcloud appeared to correctly secure the user passwords by hashing and salting them," Javvad Malik, security awareness advocate at KnowBe4, said in emailed comments. "However, the breach raises some questions around how the attacker got into the system, and why... Mixcloud [was] unable to detect when the breach occurred. It highlights the importance for all companies of all sizes and verticals to look into how they deploy security controls across their people, process and technology, as well as factoring in preventative, detective and recovery measures."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.