Incident Of The Week: Mixcloud Data Breach Puts 20 Million Users at Risk

Data Privacy Exposure Could Lead To Millions In Fines



Kayla Matthews
12/06/2019

Music Streaming Breach

British music streaming service Mixcloud admitted this month that data from more than 20 million users was compromised in a data breach.

The breach came in a year that's been particularly bad for data breaches so far, and has forced many businesses to seriously examine how they will defend user data and respond to unauthorized access of protected data.

This is how the breach happened, who is at risk and how Mixcloud plans to respond.

What Data Was Stolen

The breached user data includes email addresses, IP addresses and passwords. The passwords stolen were salted and hashed, meaning that the hackers did not have access to the plain text versions and that the passwords are unlikely to be decrypted.

In a blog post, Mixcloud said it was "actively investigating the incident."

The data, which has been verified by TechCrunch, is being sold right now on the dark web for around 0.5 bitcoin, or $4,000. The seller claims that the stolen data includes records from around 20 million unique users. According to TechCrunch's analysis of the data, however, that number may be higher than 22 million.

See Related: Don’t Be A Creeper: Benefits Of Data Loss Protection Prevent Data Access Creep

It was not immediately clear how long Mixcloud knew about the breach — which likely took place in early November — before disclosing.

The service did confirm that it does not store full credit card numbers or mailing addresses, and so none should be at risk. Mixcloud also recommended that users change passwords if they believe their data was compromised, especially if their Mixcloud password was the same as one they use on another site.

Users who logged into Mixcloud through a third-party service, like Facebook, did not have their passwords exposed.

It still isn't known what led to the breach or how the hackers were able to access to the data. As a UK-based company, Mixcloud will be required to comply with GDPR rules regarding data privacy and breach notification. If Mixcloud failed to properly safeguard the stolen data, the company could be fined as much as four percent of annual global turnover or €20 million, whichever is higher.

A Bad Year for Data Privacy

The Mixcloud breach came in a year that has already seen a number of other high-profile breaches.

Other significant breaches — like those suffered by Capital One, DoorDash, Georgia Tech and StockX — targeted major companies, smaller startups and organizations in the public sector.

See Related: Incident Of The Week: Historic Capital One Hack Reaches 100 Million Customers Affected By Breach

Despite the number of records exposed in the breach, the Mixcloud breach almost certainly won't count among the top 10 biggest or most expensive data breaches of the year.

What the Mixcloud Breach Means for Data Security

The Mixcloud Breach was another reminder of how much confidential data companies hold on to — and how vulnerable this data can be, despite the best efforts of cyber security teams.

While Mixcloud seems to have taken security precautions that should prevent any further damage or account theft, the breach is probably bad news for the company. In the future, we're likely to see more stories like this as user data continues to become more valuable and more companies store confidential customer information on the web.

See Related: Quantifying The Enterprise Cost Of A Cyber Security Data Breach

RECOMMENDED