Popular internet radio and social networking service 8tracks has suffered a major data breach that compromised details of at least 18 million users.
The company confirmed the breach in a blog post on Tuesday (27 June), saying a copy of its user database, which included users' email addresses and encrypted passwords, had been leaked.
Only users who signed up for the service using email were affected by the breach.
"If you signed up via Google or Facebook authentication, then your password is not affected by this leak", 8tracks CEO and founder David Porter wrote. "8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access.
"These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password."
8tracks noted that it does not store customers' sensitive data such as credit card numbers, phone numbers or street addresses.
The company said it believed it found the method of the attack as well - via an employee's Github account that was not secured using two-factor authentication.
8tracks said they were alerted about the breach by an unauthorized password change attempt via Github and later independently verified it by examining data from journalists and for-profit breach notification site LeakBase.
Motherboard, who obtained a dataset of about 6 million usernames, email addresses and hashed passwords from LeakBase, reported that the passwords seemed to be hashed with the weak SHA1 algorithm. Some signups even dated back to 2008, Motherboard noted.
8tracks said it does not believe the hackers gained access to its database or production servers that are secured by public/private SSH-key pairs. However, the breach did give the threat actors access to a system that contained a backup of database tables, including user data.
"We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system," 8tracks said. "We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.
"We apologize to those affected by this breach for the inconvenience and are grateful for your understanding and support. We are committed to doing our absolute best to protect our community and keep our users' data safe."