Mixcloud user accounts up for sale on dark web

A hacker is ransoming account data stolen from UK-based music streaming service Mixcloud, according to news websites contacted by the attacker last week.

News of the breach first emerged on Vice, which received 1,000 sample accounts from a claimed total of 21 million that a hacker called ‘A_W_S’ seems to have nabbed on or around 13 November.

The data includes account holders’ email addresses, IP addresses, and password hashes, which Vice was able to verify as genuine. No financial data or mailing addresses are involved as the company says it doesn’t store these.

The sum reportedly demanded by the hacker is a surprisingly modest 0.5 bitcoins, equivalent to $3,700 at this week’s exchange.

This is a dark web auction so it’s possible this is simply a starting price against which the hacker wants Mixcloud to bid to have the data returned.

It’s also possible that the hacker doesn’t have as much data as claimed – for now, it’s impossible to know.

Mixcloud’s CTO and co-founder Mat Clayton told Vice he’d not been aware of the breach until told about it by journalists and that the company was “actively investigating” what had happened.

A subsequent announcement by Mixcloud confirmed the breach but offered reassurance regarding the strength of the password hashing used, reportedly SHA-256:

The passwords that Mixcloud does store are encrypted with salted cryptographic hashes to ensure that they are extremely difficult to unscramble. This means that they are unlikely to be decrypted by hackers.

What to do?

This might turn out to be a major breach or something more limited in scope. The safest response is to assume the worst, however.

How account holders react depends on how they signed up for Mixcloud.

The advisory claims the majority of accounts log in using their Facebook IDs, which means that Mixcloud does not hold any password data. For anyone in this camp, the data at risk is their email address.

Anyone who signed up by creating a password on the site itself would be advised to change that as soon as possible regardless of the assurances offered about hashing.

According to the company’s brief FAQ at the bottom of its advisory, this won’t happen automatically when account holders next log in and will need to be initiated manually.

This isn’t ideal because there’s always a possibility that some account holders won’t hear of a breach for weeks, or longer.

And finally…

Remember, data breaches can lead to phishing attempts, so watch out for emails that look like they might be from Mixcloud but are in fact trying to lure you to a bogus website that will capture your login credentials. Crooks know that people often reuse passwords, so knowing your credentials for one site means they can try them out on other sites – and might get lucky.

So, our advice is:

  • Avoid login links that arrive in a message. If you need to login to one of your online accounts, use a link that you figured out yourself. Reputable services may ask you to login, but they generally avoid sending you a link in the email.
  • Use unique passwords for every site you register with. If this sounds like hard work, use a password manager. It has the added benefit of protecting you against phishing attempts – for example, it wouldn’t prompt you to enter your Mixcloud credentials on a fake website.
  • Use 2FA on every account you can. 2FA codes are usually sent to or generated on your phone every time you login, making your password alone much less useful to a crook.