A Dark Web hacker going by the online handle of “nclay” is claiming to have hacked the popular Internet radio and social networking website 8Track.com and has stolen 18 million accounts (18,674,447) of its registered users.

The hacker tells HackRead that the website was hacked earlier this month in which he was able to grab account details such as usernames, emails, and passwords encrypted with Secure Hash Algorithm 1 (SHA-1).

More:  Zomato Hacked; 17 Million Accounts Sold on Dark Web

Secure Hash Algorithm 1 encryption commonly referred to as SHA-1 is a vital internet security tool however in February this year Google security researchers broke SHA-1 web security tool and warned companies and software developers to update the system and use something else instead of this algorithm.

The data is now being sold on a popular dark web marketplace for a whopping price of $2,002 (0.8375 Bitcoins).

Screenshot from the Dark Web marketplace

Hacker also provided a list of data. Upon scanning, it looks like the data is legit since the site’s password reset feature was successfully sending password reset code to the emails provided in the sample data.

Password reset page shows: An email has just been sent.” (No account was accessed during the scanning process.)
More:  Online Music Database Last.fm Hacked; 43M accounts Leaked

8tracks.com was founded in 2008 and revolves around the concept of streaming user-curated playlists consisting of at least 8 tracks. Users create free accounts and can either browse the site and listen to other user-created mixes, and/or they can create their own mixes. The site also has a subscription-based service, 8 tracks plus, although its features are still evolving. Currently, a $25 payment purchases a 6-month subscription, during which time advertisements are removed from the website interface while subscribers are logged in.

It must be noted that HaveIbeenPwned website shows all sample emails are already part of previous data breaches including Adobe, MySpaceTumblr, River City Media Spam List, Anti-Public Combo List and Dropbox, etc. However, this still does not change the importance of 8Track breach as it’s as recent as of June 2017.

Sample data

We have sent an email to Mr. David Porter, the CEO, and founder of 8tracks and are waiting for his reply about the incident. As for “nclay,” he is the same hacker who previously hacked restaurant and event listing service Zomato and social learning platform Edmodo.

In Zomato’s case, HackRead exclusively reported that “nclay” grabbed 17 Million while in Edmodo’s case the hacker 77 million accounts. Both databases were then sold on the dark web.

At the time of publishing this article, the data was being sold on Hansa dark web market. 

Update: 

In a blog post, 8tracks has acknowledged the breach. The blog post also informs users that the company uses hashed and salted passwords. However, 8tracks did not mention that the passwords are encrypted with the SHA-1 algorithm which as stated previously in this article can be easily decrypted. 

HackRead advises 8tracks users to not only change their 8tracks account password but also change the login details of accounts on other sites in case they are using the same password anywhere else.

More:  21 Million Decrypted Gmail, 5 Million Yahoo Accounts Being Sold on Dark Web

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.