Millions of users’ accounts at popular internet radio service 8tracks have been stolen by malicious hackers who are selling the data in underground forums.
Hackers have stolen account details from 8tracks, a social internet radio streaming platform, with breached user data going back all the way to 2008. Motherboard reports it obtained a dataset cluster with some 6 million accounts’ usernames, email addresses and hashed passwords from breach notification website LeakBase, a for-profit resource. According to LeakBase, the complete dataset comprises of 19 million accounts.
The passwords were notable hashed with the SHA1 algorithm, raising the possibility of hackers cracking the hashes to obtain the original passwords through a brute force attack.
In a blog announcement, 8tracks confirmed the breach – stating that user accounts signed in via Google or Facebook authentication were not affected by the leak.
In explaining the reason for the breach, 8tracks wrote:
We believe the vector for the attack was an employee’s Github account, which was not secured using two-factor authentication. We were alerted to this breach by an unauthorized password change attempt via Github, and it was verified independently by examining data from journalists and a security services company.
8tracks offers both free and paid accounts, the latter for ad-free listening. In what will come as some relief, the stolen data does not show any signs of stolen credit card or payment data.
If you happen to be a user of 8tracks, it’s recommended that you change your password immediately. If you are likely to have shared the same password elsewhere among other websites, it’s strongly recommended that you change those too. A good practice would be putting a free password manager, the likes of LastPass or 1password, to use. Password managers could avoid these pitfalls altogether through the use of unique passwords for every website that requires credentials.
Image credit: 8tracks.