Social network internet radio site 8tracks has confirmed in a message posted on its corporate blog that it has suffered a security breach:
“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email. If you signed up via Google or Facebook authentication, then your password is not affected by this leak. 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.”
Motherboard reported that it had received a dataset of six million usernames, email addresses, and hashed passwords. The passwords appear to be hashed with the SHA-1 algorithm, meaning that the hackers may be able to obtain some of the original passwords. Leakbase provided Motherboard with the data and claims that the full dataset contains around 18 million user account details.
The site is advising users (excluding those that signed up via Facebook or Google authentication who have not had their passwords compromised) to change their password and ensure that they are not using the same password anywhere else online.
How did the breach happen?
8tracks said that it believes “the vector for the attack was an employee’s GitHub account, which was not secured using two-factor authentication.” It does not believe that the breach involved any access to servers, which are secured by public/private SSH-key pairs.
8tracks has assured its customers that it has “secured the account in question, changed passwords for our storage systems, and added access logging to our backup system.”
The company has apologized, saying: “We apologize to those affected by this breach for the inconvenience and are grateful for your understanding and support. We are committed to doing our absolute best to protect our community and keep our users’ data safe.”
Passwords are not enough
A password is a single authentication factor and anyone who has access to it can use it. No matter how strong your password is, if it is lost, stolen, or phished, it is entirely useless at keeping information private.
In the case of the 8tracks breach, two-factor authentication (TFA or 2FA) would have provided an extra layer of security, even if the employee’s password had been obtained, as it requires a username, password, and something that only the user has on them.
An example of two-factor authentication is used by Apple. An Apple ID can be set up with two-factor authentication and requires a password and a six-digit verification code that is sent to your ‘trusted phone number’.
Two-Factor Authentication considers the evolution of two-factor authentication and evaluates popular methods, such as hardware-based one-time password (OTP) generation, push notification-based authentication, and smart card verification.