London based online music streaming service, Mixcloud has suffered a catastrophic data breach after it was found that 21 million user records are available to purchase on a dark web marketplace.
The hacker, who uses the moniker A_W_S, contacted journalists on Friday to share details of the breach and to provide data samples of the stolen data which includes usernames, email addresses, IP addresses and passwords that appear to be scrambled with the SHA-2 algorithm – a set of cryptographic hash functions designed by the NSA and therefore impossible to reverse back to its cleartext form. Additionally, the Company said that most users had signed up via Facebook, and so did not have a password associated with their account.
Mixcloud has acknowledged the hack and is urging users to change their passwords. The company has said “We are actively investigating this incident. We apologise to those affected and are sorry that this has happened.”
A_W_S has claimed responsibility for a growing number of hacks on major websites, most notably when he hacked online creative platform Canva and stole the details of over 137 million users. Then, as with this latest attack, user password details remained encrypted.
This obviously devastating turn of events could be just the start of Mixcloud’s problems – under GDPR rules the Company could now be fined up to 4% of their annual turnover for the violation.
Notable users of the service include Wired, Harvard Business School, TED Talks, and former US President, Barack Obama.