Faithless database hacked
Database of Faithless website has been compromised using malware through SQL injectionFaithless

Hackers have carried out an attack on the database of Faithless, the electronic band, affecting the personal data of thousands of music fans. The data containing email IDs and passwords people used to access the website has now been sold on the dark web.

Faithless, which is known as the pioneer of British dance music, made its debut in 1995 with a group that included Maxi Jazz, Sistem Bliss and Rollo Armstrong. It has sold about 12 million records worldwide.

The cyberattack on the band is one of the many high-profile hacks in the past few months. These include the BBC website, the Wetherspoon pub chain, Talk Talk and Ashley Madison. Experts believe that hackers could continue attacks on other music websites as well.

SQL injection

Cybersecurity firm CyberInt, which first spotted the data breach, claims that hackers uploaded malware through SQL injection on faithless.co.uk. Although the breach came to light in September 2015, CyberInt revealed the cyberattack only recently.

Using SQL injection, an attacker can execute malicious SQL commands which control a web application's database server. This is one of the very common and dangerous vulnerabilities. SQL injection could affect any website or web application that uses an SQL-based database.

Elad Ben-Meir, vice-president of marketing at CyberInt, told the Independent: "We have a system that collects cyber threat intelligence in real time, and as part of our work we uncovered a Faithless database being sold on the dark web, and we flagged it up with them."

"I think they fixed the issue but they didn't quite go out and tell anyone that, so that leaves their fans, about 18,000 people, unaware that their private information has been compromised," added Ben-Meir.

The dark web is a section of the internet which is not indexed by Google, and requires special software tools such as Tor browser to gain access to. Even though it is designed to protect privacy, it is also associated with illicit activities.

Ben-Meir further noted: "Although the actual details for sale on the Dark Web are likely to sell for only a few hundred dollars, they could end up costing unlucky music fans far more."

By gaining access to the email addresses, hackers could take their activity to a different level to obtain additional information of users. "The fraudster will send the fan a spoof email asking the victim to open an attachment or follow a link to a fake phishing website. Once the attachment is opened or the link clicked, the hacker could gain additional information about the fan or event take control of the fan's computer," warns Ben-Meir.

He said the Faithless hack "could signal the start of a new trend of attacks on the UK's £3.5bn a year music industry".

Among other music websites, Sony Music has been compromised on several occasions in the past five years.