Internet radio service 8tracks this week informed users of a database hack, prompting them to reset their passwords to prevent account compromise.
8tracks announced this week that hackers are in possession of a copy of their database, which contains the email addresses and encrypted passwords of users who signed up using email. Users who used Google or Facebook authentication to sign up for the service are unaffected.
The company also revealed that it stores passwords using “one-way hashes to ensure they remain difficult to access.” Such password hashes, however, can be brute-forced, even if the operation is “expensive and time-consuming,” as 8tracks’ David Porter notes in a blog post.
The radio service didn’t provide information on the number of affected users, but did say the breach “was verified independently by examining data from journalists and a security services company.” The leaked database supposedly contained over 18.5 million entries.
“Passwords on 8tracks are hashed and salted, meaning that even we can’t tell you what your password is by looking at the database. Although the decryption of one particular user’s password through brute-force techniques is unlikely, we recommend that users change their password on 8tracks and any sites on which they may have used the same password to ensure their personal security,” Porter continues.
He also notes that the data breach 8tracks suffered appears similar to those previously impacting accounts with Adobe, Dropbox, LinkedIn, Tumblr and MySpace. He also reveals that an employee’s Github account was found to be the vector of attack. The account wasn’t protected via two-factor authentication, and the company was alerted by an “unauthorized password change attempt via Github.”
Soon after being alerted on the attack and learning the compromise vector, the company took precautions to ensure its databases are secure, Porter says. He also points out that the hack didn’t involve “access to database or production servers, which are secured by public/private SSH-key pairs.”
Functioning both as a social network and a radio service, 8tracks allows users to create paid accounts to take advantage of an ad-free experience. However, 8tracks does not store credit card numbers, phone numbers, street addresses, or similar sensitive customer data on its servers, Porter reveals.
Because the hackers gained access to a system containing a backup of database tables, which included the aforementioned leaked data, the company took the necessary steps to secure the compromised account and also “changed passwords for our storage systems, and added access logging to our backup system,” Porter says.
As always, users are advised to secure each of their online accounts with a different password and to use strong, randomly generated passwords. They should also take additional steps to secure their accounts, such as using two-factor authentication.
Related: Data Stolen in DocuSign Breach Used for Email Attacks