Mixcloud超過2000萬用戶記錄遭外洩

  • 流覽次數:: 192
  • 分類: 產業區
  • 分享次數:
  • 作者: 音樂地圖
  • Mixcloud超過2000萬用戶記錄遭外洩

      202001/0702:24

    ◎位於英國的音樂串流平台(Mixcloud)傳出數據洩露事件,遭洩露數據在網路上出售後,已經有超過2000萬用戶資料遭到暴露。
    ◎一位不知名的網路賣家說,這起數據洩露事件發生在11月初,賣家將部分數據提供給科技新聞網站(TechCrunch),以檢查和驗證數據的真實性。數據包含:用戶名、電子郵件地址和密碼似乎已被(SHA-2)算法加密,使密碼幾乎無法解密。其他數據還包含:帳戶註冊日期、上次登錄日期、用戶註冊國家、用戶(IP)地址及個人資料照片的連結。
    ◎確切的失竊數據量未知。賣方說有2000萬條記錄,但(TechCrunch)的數據顯示,可能多達2200萬條記錄。該數據的售價為4,000美元,約合0.5比特幣。
    ◎針對這起事件,Mixcloud未發表任何公司聲明,也拒絕進一步置評。作為一家總部位於倫敦的公司,Mixcloud受英國和歐洲數據保護法規的約束。違反歐洲GDPR規則的公司將被處以最高年營業額4%的罰款。

    詳細內文:

    A data breach at Mixcloud, a U.K.-based audio streaming platform, has left more than 20 million user accounts exposed after the data was put on sale on the dark web.
    The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.
    The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.
    We verified a portion of the data by validating emails against the site’s sign-up feature, though Mixcloud does not require users to verify their email addresses.
    The exact amount of data stolen isn’t known. The seller said there were 20 million records, but listed 21 million records on the dark web. But the data we sampled suggested there may have been as many as 22 million records based off unique values in the data set we were given.
    The data was listed for sale for $4,000, or about 0.5 bitcoin. We’re not linking to the dark web listing.
    Mixcloud last year secured a $11.5 million cash injection from media investment firm WndrCo, led by Hollywood media proprietor Jeffrey Katzenberg.
    It’s the latest in a string of high profile data breaches in recent months. The breached data came from the same dark web seller who also alerted TechCrunch to the StockX breach earlier this year. The apparel trading company initially claimed its customer-wide password reset was for “system updates,” but later came clean, admitting it was hacked, exposing more than four million records, after TechCrunch obtained a portion of the breached data.
    When reached, Mixcloud spokesperson Lisa Roolant did not comment beyond a boilerplate corporate statement, nor did the spokesperson answer any of our questions — including if the company planned to inform regulators under U.S. state and EU data breach notification laws.
    Co-founder Nico Perez also declined to comment further.
    As a London-based company, Mixcloud falls under U.K. and European data protection rules. Companies can be fined up to 4% of their annual turnover for violations of European GDPR rules.
    Corrected the fourth paragraph to clarify that emails were validated against the site’s sign-up feature, and not the password reset feature. Updated to include comment from the company.

     

    Techcrunch
    https://tcrn.ch/2rJYRUR