We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email. If you signed up via Google or Facebook authentication, then your password is not affected by this leak. 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.
We have found what we believe to be the method of the attack and taken precautions to ensure our databases are secure. 8tracks does not store sensitive customer data such as credit card numbers, phone numbers, or street addresses.
What does this mean for 8tracks users?
Passwords on 8tracks are hashed and salted, meaning that even we can’t tell you what your password is by looking at the database. Although the decryption of one particular user’s password through brute-force techniques is unlikely, we recommend that users change their password on 8tracks and any sites on which they may have used the same password to ensure their personal security. This type of data breach is similar to those previously reported to have impacted accounts with Adobe, Dropbox, LinkedIn, Tumblr and MySpace.
We recommend that people refrain from using the same password across multiple sites, particularly on sensitive applications like email or banking software. We suggest making use of two-factor authentication and using a password manager like LastPass or 1password.
What got leaked and how?
We believe the vector for the attack was an employee’s Github account, which was not secured using two-factor authentication. We were alerted to this breach by an unauthorized password change attempt via Github, and it was verified independently by examining data from journalists and a security services company.
We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data. We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.
We apologize to those affected by this breach for the inconvenience and are grateful for your understanding and support. We are committed to doing our absolute best to protect our community and keep our users’ data safe.