It has been reported that unknown hackers are selling as many as 21 million customer records on the Dark Web for 0.5 bitcoin after stealing them from a number of systems owned by online music streaming service Mixcloud in November.
On Saturday, 30th November, Tech Crunch reported that hackers breached several systems belonging to Mixcloud, stole up to 22 million customer data records, and put the records up for sale on the Dark Web for 0.5 bitcoin (£2,822.84).
The breached customer records, as per Mixcloud’s own admission, contained email addresses, IP addresses and securely encrypted passwords and according to Tech Crunch, also contained links to profile photos, IP addresses, countries where users signed up, account sign-up dates and last-login dates.
Mailing addresses & credit card details were not compromised, says Mixcloud
In a blog post published on Saturday, Mixcloud confirmed that the breach did take place and stated that while customer records of a minority of Mixcloud users were compromised by the incident, such records did not include credit card numbers or mailing addresses and the stolen passwords were also encrypted with salted cryptographic hashes.
“Our understanding at this time is that the incident involves email addresses, IP addresses and securely encrypted passwords for a minority of Mixcloud users. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.
“Whilst we have no reason to believe that any passwords have been compromised, you may want to change yours, especially if you have been using the same one across multiple services.
“We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously,” said the streaming service’s co-founders.
Hackers selling billions of stolen credentials on Dark Web marketplaces
It is a well-known fact among security researchers that cyber criminals target enterprise systems containing customer records and other data not only to commit identity fraud and carry out phishing campaigns, but also to earn money by selling suchrecords on the Dark Web.
In February this year, over 620 million stolen online accounts were put up for sale on the Dream Market cyber-souk, a Dark Web marketplace that could be accessed using Tor. These accounts contained names, email addresses, and passwords of millions of people from across the globe.
While 162 million accounts were stolen from Dubsmash, 151 million were stolen from MyFitnessPal, 92 million from MyHeritage, 41 million from ShareThis, 28 million from HauteLook, 25 million from Animoto, 18 million from Whitepages, 16 million from Fotolog, 11 million from Armor Games, and 8 million such accounts were stolen from BookMate.
Millions of online accounts account details were also stolen from other platforms such as Artsy, CoffeeMeetsBagel, DataCamp, 500px, and EyeEm. The passwords for all online accounts were hashed using the age-old MD5 algorithm and could be decrypted using standard software by those purchasing such accounts on the marketplace.