Cyber Incident Victim: Mixcloud
Date:
Nov 2019
Location:
United Kingdom
Summary
A cybersecurity incident at a U.K.-based audio streaming platform compromised approximately 21 million user records, including usernames, email addresses, SHA-2 encrypted passwords, account sign-up and last-login dates, country information, IP addresses, and profile photo links. The stolen data was listed for sale on the dark web for $4,000 after being exfiltrated earlier that month, with verification confirming its authenticity through email validation against the platform's sign-up system. The company, which falls under GDPR jurisdiction and faces potential fines of up to 4% of annual turnover for violations, provided only a boilerplate statement without confirming whether it would notify regulators or address compliance with breach notification laws. This breach followed a pattern involving the same dark web seller responsible for prior high-profile data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2019, a dark web seller listed approximately 21 million user records from Mixcloud, a U.K.-based audio streaming platform, for sale at $4,000 (equivalent to 0.5 bitcoin). The seller provided TechCrunch with a sample dataset, enabling verification of the breach's authenticity. The exposed data included usernames, email addresses, and passwords hashed with the SHA-2 algorithm, rendering them computationally impractical to unscramble. Additional compromised information consisted of account sign-up dates, last-login timestamps, users' country locations, IP addresses at registration, and profile photo URLs. TechCrunch validated portions of the data by cross-referencing email addresses through Mixcloud's sign-up feature, though the platform did not mandate email verification for accounts. While the seller initially claimed 20 million affected records, the dark web listing showed 21 million entries, with TechCrunch's analysis of unique dataset values suggesting the actual figure could reach 22 million. The breach marked the second major incident tied to the same dark web entity, which had previously facilitated TechCrunch's exposure of StockX's data breach earlier in 2019.
Mixcloud's leadership provided minimal public response following the breach disclosure. Spokesperson Lisa Roolant directed inquiries exclusively to a generic corporate statement on the company's blog and declined to answer specific questions regarding compliance with U.S. state or EU General Data Protection Regulation (GDPR) notification requirements. Co-founder Nico Perez similarly refrained from additional commentary. As a London-headquartered company, Mixcloud fell under GDPR jurisdiction, which mandates breach notifications to relevant authorities within 72 hours of discovery and carries potential fines of up to 4% of annual global revenue for violations. The incident occurred approximately one year after Mixcloud secured an $11.5 million investment from media firm WndrCo, though financial impacts from the breach remained undisclosed. No technical details regarding breach methodology, internal detection timelines, containment measures, or system vulnerabilities were publicly confirmed by the company or investigators.