Cyber Incident Victim: 8tracks

In June 2017, internet radio service 8tracks suffered a data breach involving millions of user accounts. The compromised information, traded on underground forums and obtained by Motherboard, included approximately 6 million usernames, email addresses, and SHA1-hashed passwords, with the full dataset reportedly containing 18 million accounts. LeakBase, a breach notification service, supplied the sample data to Motherboard, which verified its authenticity by cross-referencing email addresses from the leak with active 8tracks accounts. Attempts to create new accounts using these emails failed because they were already registered, confirming the data's validity. User signup dates in the stolen records extended back to 2008, indicating the breach encompassed long-standing accounts. The attacker specifically targeted users who registered directly with email credentials, excluding those who authenticated via Google or Facebook. No financial data, such as credit card details or payment information, was exposed in the incident.

8tracks attributed the breach to unauthorized access via an employee’s GitHub account, which lacked two-factor authentication. The company stated it had identified and secured the attack vector while preparing to notify affected customers. Impacted users were those who created accounts using email credentials rather than third-party authentication methods. The use of SHA1 hashing for passwords—a cryptographic method considered vulnerable to brute-force attacks—raised concerns about potential credential cracking. Motherboard independently confirmed that multiple users in the dataset had legitimate 8tracks accounts, though some could not recall their passwords, complicating assessments of cross-service credential reuse risks. The breach highlighted operational security gaps but did not disrupt 8tracks’ core streaming or subscription services.