8track’s 18 Million User Account Details Hacked
8track’s revealed that the details of millions of users of the their internet radio service and music social network have been stolen by hackers.
The following message was posted in it’s corporate blog after the hack:
“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email… 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.”
8tracks points out that users who signed-up for the service via Google or Facebook authentication have not had their passwords compromised by the breach.
As Motherboard reports, the millions of leaked passwords appear to have been hashed with the SHA1 algorithm, leaving open the possibility that some of them could be cracked.
The threat of passwords being cracked in this particular case is less because most people aren’t overly worried about their internet music accounts being overrun by hackers. Even so, a cracked password – combined with a leaked username and email address – could still provide a skeleton key for accounts on other sites to be broken into if it’s been reused.
As a result, the site is advising affected users to change their 8tracks passwords and to ensure that they are not using the same password anywhere else online.
The details of how 8tracks suffered a data breach may act as a salutary warning to other businesses.
As it describes in its blog post, 8tracks does not believe that its own servers were breached or accessed by unauthorized individuals but because of an employee’s GitHub account that was compromised. That’s what provided a method for hackers to access a system where backups were made of the user database, including the leaked data.
8tracks notes that the GitHub account was not protected by two-factor authentication, which would have provided an additional layer of security even if the employee’s password had been phished, guessed, stolen, or cracked.
The company has apologized “to those affected by this breach for the inconvenience” and says it is working to improve its security.
Source | tripwire