Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

8tracks Prompts Password Reset After Hack

Internet radio service 8tracks this week informed users of a database hack, prompting them to reset their passwords to prevent account compromise.

Internet radio service 8tracks this week informed users of a database hack, prompting them to reset their passwords to prevent account compromise.

8tracks announced this week that hackers are in possession of a copy of their database, which contains the email addresses and encrypted passwords of users who signed up using email. Users who used Google or Facebook authentication to sign up for the service are unaffected.

The company also revealed that it stores passwords using “one-way hashes to ensure they remain difficult to access.” Such password hashes, however, can be brute-forced, even if the operation is “expensive and time-consuming,” as 8tracks’ David Porter notes in a blog post.

The radio service didn’t provide information on the number of affected users, but did say the breach “was verified independently by examining data from journalists and a security services company.” The leaked database supposedly contained over 18.5 million entries.

“Passwords on 8tracks are hashed and salted, meaning that even we can’t tell you what your password is by looking at the database. Although the decryption of one particular user’s password through brute-force techniques is unlikely, we recommend that users change their password on 8tracks and any sites on which they may have used the same password to ensure their personal security,” Porter continues.

He also notes that the data breach 8tracks suffered appears similar to those previously impacting accounts with Adobe, Dropbox, LinkedIn, Tumblr and MySpace. He also reveals that an employee’s Github account was found to be the vector of attack. The account wasn’t protected via two-factor authentication, and the company was alerted by an “unauthorized password change attempt via Github.”

Soon after being alerted on the attack and learning the compromise vector, the company took precautions to ensure its databases are secure, Porter says. He also points out that the hack didn’t involve “access to database or production servers, which are secured by public/private SSH-key pairs.”

Functioning both as a social network and a radio service, 8tracks allows users to create paid accounts to take advantage of an ad-free experience. However, 8tracks does not store credit card numbers, phone numbers, street addresses, or similar sensitive customer data on its servers, Porter reveals.

Because the hackers gained access to a system containing a backup of database tables, which included the aforementioned leaked data, the company took the necessary steps to secure the compromised account and also “changed passwords for our storage systems, and added access logging to our backup system,” Porter says.

As always, users are advised to secure each of their online accounts with a different password and to use strong, randomly generated passwords. They should also take additional steps to secure their accounts, such as using two-factor authentication.

Related: Data Stolen in DocuSign Breach Used for Email Attacks

Related: Los Angeles County Notifies 756,000 of Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.