There’s bad news for internet music fans, as it has been revealed that the details of millions of users of the 8tracks internet radio service and music social network have been stolen by hackers.
In a message posted on its corporate blog, 8tracks confirms it has suffered a security breach:
“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email… 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.”
8tracks points out that users who signed-up for the service via Google or Facebook authentication have not had their passwords compromised by the breach.
As Motherboard reports, the millions of leaked passwords appear to have been hashed with the SHA1 algorithm, leaving open the possibility that some of them could be cracked.
The threat of passwords being cracked in this particular case is less because most people aren’t overly worried about their internet music accounts being overrun by hackers. Even so, a cracked password – combined with a leaked username and email address – could still provide a skeleton key for accounts on other sites to be broken into if it’s been reused.
As a result, the site is advising affected users to change their 8tracks passwords and to ensure that they are not using the same password anywhere else online.
That’s sensible advice. Time and time again, we see examples of password reuse where the breach of one site can then lead to stolen passwords being used to unlock an individual’s otherwise unconnected online accounts elsewhere.
The details of how 8tracks suffered a data breach may act as a salutary warning to other businesses.
As it describes in its blog post, 8tracks does not believe that its own servers were breached or accessed by unauthorized individuals.
Instead, an employee’s GitHub account was compromised. That’s what provided a method for hackers to access a system where backups were made of the user database, including the leaked data.
8tracks notes that the GitHub account was not protected by two-factor authentication, which would have provided an additional layer of security even if the employee’s password had been phished, guessed, stolen, or cracked.
The first 8tracks knew of the breach was when it received a notification from GitHub that someone had attempted to change the account’s password.
The company has apologized “to those affected by this breach for the inconvenience” and says it is working to improve its security:
“We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.”
We’ve said it before; we’ll say it again. If a site offers you two-factor authentication, please turn it on. And ensure that your employees are taking advantage of that additional layer of security, as well.
For advice on how to create a strong password, click here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.