British music streaming service Mixcloud Ltd. has been hacked, with about 21 million customer records stolen.
The breach is believed to have occurred in November and only came to light after a “dark web” seller revealed a portion of the stolen data for sale.
The data included usernames, email addresses, signup dates and login details, including IP addresses, profile photos and encrypted passwords. The stolen data is currently for sale on the dark web, a shady part of the internet reachable with special software, for 0.5 bitcoin, the equivalent of $3,664.
Mixcloud is a music streaming service that allows for the listening and distribution of radio shows, DJ mixes and podcasts, which are crowdsourced by its registered users.
Mixcloud confirmed the hack in a blog post Saturday, saying that it believes the data involves only a minority of users. The company noted that the passwords were encrypted with “salted cryptographic hashes to ensure that they are extremely difficult to unscramble.” As a precaution, Mixcloud advised affected users to change their passwords.
How the hack took place remains unknown. As a U.K.-based company, Mixcloud is required to comply with the European Union’s General Data Protection Regulation, so an investigation will be forthcoming. Even if the U.K. leaves the EU either later this year or early next year, the regulation is still applicable because the company has customers in Europe and hence GDPR compliance is still required.
“In terms of the alleged breach of Mixcloud, it seems that an incident has indeed occurred but its scope and impact are pretty obscure,” Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, told SiliconANGLE. “I’d refrain from any determinative conclusions until Mixcloud conducts a holistic investigation including an in-depth review of their trusted third-parties for possible data breaches or leaks.”