Pierluigi Paganini June 30, 2017

The Music streaming service 8tracks suffered a major data leak, 18 million user accounts have been exposed and is available online.

Music streaming service 8tracks has been affected by a major data leak that exposed ‘millions’ of customer details.

The leak seems to have been caused by a staffer that erroneously exposed 18 million user accounts. The employee left some markers on his GitHub account that breached by hackers.

The lack of security for the GitHub repository seems to be the root cause of the breach, the employee wasn’t using two-factor authentication. The staffer was keeping backups of database tables in his repository.

“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email. If you signed up via Google or Facebook authentication, then your password is not affected by this leak. 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.” states the breach notification published by the company,

“We have found what we believe to be the method of the attack and taken precautions to ensure our databases are secure. 8tracks does not store sensitive customer data such as credit card numbers, phone numbers, or street addresses.”

According to the post published by the Music streaming service, 8tracks passwords hashed and salted, users that signed up to 8Tracks via Google or Facebook aren’t affected.

8Tracks confirmed to have identified an unauthorised attempt at a password change and investigation is still ongoing.

“We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data.” continues the company.”We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.”

As usual, let me recommend to change your password on 8tracks and any websites on which you used the same login credentials.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – 8tracks, dataleak)

[adrotate banner=”13″]