A data breach at Mixcloud, a U.K.-based audio streaming platform, has left more than 20 million user accounts exposed after the data was put on sale on the dark web.
The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.
The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.
We verified a portion of the data by validating emails against the site’s password reset feature.
The exact amount of data stolen isn’t known. The seller said there were 20 million records, but listed 21 million records on the dark web. But the data we sampled suggested there may have been as many as 22 million records.
The data was listed for sale for $4,000, or about 0.5 bitcoin. We’re not linking to the dark web listing.
Mixcloud last year secured a $11.5 million cash injection from media investment firm WndrCo, led by Hollywood media proprietor Jeffrey Katzenberg.
It’s the latest in a string of high profile data breaches in recent months. The breached data came from the same dark web seller who also alerted TechCrunch to the StockX breach earlier this year. The apparel trading company initially claimed its customer-wide password reset was for “system updates,” but later came clean, admitting it was hacked, exposing more than four million records, after TechCrunch obtained a portion of the breached data.
An email to Mixcloud’s press mailbox bounced, and its last listed public relations agency told TechCrunch it no longer represents the company.
As a London-based company, Mixcloud falls under U.K. and European data protection rules. Companies can be fined up to 4% of their annual turnover for violations of European GDPR rules.