Hackers Breach Mixcloud and Sell Users' Data Online

After they breach an online service or a website, hackers usually try to monetize the data they've stolen by selling it either on the dark web or on one of the many hacking forums that are indexed by Google and are easily accessible. Given how valuable personal information can be, often, selling the data to other criminals isn't that much of a challenge. Apparently, however, the pilfered databases are sometimes harder to shift. A hacker going by the nickname A_W_S, for example, was probably having a hard time selling a database he/she had stolen from the Mixcloud streaming service, which is why they decided to get the word out by bragging about the attack to the media.

Last week, A_W_S got in touch with Zack Whittaker from TechCrunch, Joseph Cox from Motherboard, and Catalin Cimpanu from ZDNet and told them that Mixcloud had suffered a data breach. A_W_S said that he/she had single-handedly managed to pilfer the records of a whopping 21 million subscribers, and the data was for sale on a dark web marketplace.

A_W_S isn't actually new to this sort of thing. According to ZDNet's reporter, they worked alongside another cybercriminal known as Gnosticplayers, whose love of media attention became apparent earlier this year after a few relatively high-profile attacks. But how does the Mixcloud breach stack up against Gnosticplayers' activities?

Not the most horrific breach in the world

All three news outfits received samples of the data to confirm its authenticity. The reporters saw usernames, email and IP addresses, dates of account registrations, and salted hashes of people's passwords in the database. They got in touch with some of the affected individuals and tried to register new Mixcloud accounts with some of the emails, and they confirmed that the information is indeed genuine. The dates on which some of the registrations were made suggested that the attack was pulled off mere weeks ago. So, the data is real, and it's most likely valid. It's a good thing, then, that there's not a whole lot of it.

After it learned about the breach, Mixcloud pointed out that it stores no credit card details or physical addresses. It also said that most of its users have signed up for the service using their Facebook accounts, which, in itself, limits the amount of exposed data to a certain extent. More importantly, the streaming service provider said that the stolen passwords have been salted and hashed securely, which the news outlets managed to confirm. Mixcloud used SHA-2 – a hashing algorithm that is practically impossible to reverse.

As a result, the crooks that pay for the database won't actually get a whole lot for their money, which is probably why the data isn't attracting that much attention. When TechCrunch and Motherboard wrote about the breach on November 29, A_W_S was asking 0.5 bitcoin or $4,000 for it, but by the time ZDNet's report came out on December 1, the price had been reduced to 0.27 bitcoin or about $2,000.

Not the best response in the world

Mixcloud apparently knew nothing about the breach before the initial report in the media. About 24 hours after the news broke, the streaming service provider came up with what Zack Whittaker rather accurately described as "a boilerplate corporate statement". In addition to the inevitable "we take security very seriously" statement, the blog post contained information on the password storage mechanisms and on the relatively limited amount of data that was exposed. It didn't contain the number of people that were affected by the breach, and it said nothing about the precautions taken to better protect them in the future. The decision to include an FAQ section that has only two questions is also rather strange considering the fact that more than 20 million records have allegedly been stolen.

When reporters asked for further comment, Mixcloud's spokespeople remained silent, which is yet another proof that the streaming service provider could have been a bit more transparent in its disclosure. We can only hope that other vendors that suffer data breaches will be able to handle them a bit better.