[BreachExchange] Mixcloud data breach exposes over 20 million user records

Destry Winant destry at riskbasedsecurity.com
Mon Dec 2 10:08:27 EST 2019


A data breach at Mixcloud,  a U.K.-based audio streaming platform, has
left more than 20 million user accounts exposed after the data was put
on sale on the dark web.

The data breach happened earlier in November, according to a dark web
seller who supplied a portion of the data to TechCrunch, allowing us
to examine and verify the authenticity of the data.

The data contained usernames, email addresses, and passwords that
appear to be scrambled with the SHA-2 algorithm, making the passwords
near impossible to unscramble. The data also contained account sign-up
dates and the last-login date. It also included the country from which
the user signed up, their internet (IP) address, and links to profile

We verified a portion of the data by validating emails against the
site’s sign-up feature, though Mixcloud does not require users to
verify their email addresses.

The exact amount of data stolen isn’t known. The seller said there
were 20 million records, but listed 21 million records on the dark
web. But the data we sampled suggested there may have been as many as
22 million records based off unique values in the data set we were

The data was listed for sale for $4,000, or about 0.5 bitcoin. We’re
not linking to the dark web listing.

Mixcloud last year secured a $11.5 million cash injection from media
investment firm WndrCo,  led by Hollywood media proprietor Jeffrey

It’s the latest in a string of high profile data breaches in recent
months. The breached data came from the same dark web seller who also
alerted TechCrunch to the StockX breach earlier this year. The apparel
trading company initially claimed its customer-wide password reset was
for “system updates,” but later came clean, admitting it was hacked,
exposing more than four million records, after TechCrunch obtained a
portion of the breached data.

When reached, Mixcloud spokesperson Lisa Roolant did not comment
beyond a boilerplate corporate statement, nor did the spokesperson
answer any of our questions — including if the company planned to
inform regulators under U.S. state and EU data breach notification

Co-founder Nico Perez also declined to comment further.

As a London-based company, Mixcloud falls under U.K. and European data
protection rules. Companies can be fined up to 4% of their annual
turnover for violations of European GDPR rules.

Corrected the fourth paragraph to clarify that emails were validated
against the site’s sign-up feature, and not the password reset
feature. Updated to include comment from the company.

More information about the BreachExchange mailing list