8tracks data leak exposed 18 million user accounts

The Music streaming service 8tracks suffered a major data leak, 18 million user accounts have been exposed and is available online.

Music streaming service 8tracks has been affected by a major data leak that exposed ‘millions’ of customer details.

The leak seems to have been caused by a staffer that erroneously exposed 18 million user accounts. The employee left some markers on his GitHub account that breached by hackers.

The lack of security for the GitHub repository seems to be the root cause of the breach, the employee wasn’t using two-factor authentication. The staffer was keeping backups of database tables in his repository.

“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email. If you signed up via Google or Facebook authentication, then your password is not affected by this leak. 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.” states the breach notification published by the company,

“We have found what we believe to be the method of the attack and taken precautions to ensure our databases are secure. 8tracks does not store sensitive customer data such as credit card numbers, phone numbers, or street addresses.”

According to the post published by the Music streaming service, 8tracks passwords hashed and salted, users that signed up to 8Tracks via Google or Facebook aren’t affected.

8Tracks confirmed to have identified an unauthorised attempt at a password change and investigation is still ongoing.

“We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data.” continues the company.”We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.”

As usual, let me recommend to change your password on 8tracks and any websites on which you used the same login credentials.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – 8tracks, dataleak)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.