Data of more than 20m Mixcloud users put up for sale on the dark web

3 Dec 2019

Image: © Shahril KHMD /

UK-based audio streaming service Mixcloud has confirmed in a blog post that it suffered a data breach in November.

UK-based audio streaming service Mixcloud has suffered a data breach, leading to the account data of around 20m users being put up for sale on the dark web.

The breach, which happened in November according to the dark web seller, contained usernames, email addresses and passwords, albeit scrambled with a secure hash algorithm (SHA-2).

The hacker responsible, known as ‘A_W_S’, has previously claimed responsibility for hacks perpetrated against Canva, Chegg, PromoFarma and more.

The seller supplied TechCrunch, ZDNet and a number of other technology journalists with samples of the stolen data.

Mixcloud then confirmed the breach in a blog post on Saturday (30 November), explaining that it had received “credible reports” that hackers had gained unauthorised access to some of its systems.

While it maintains that passwords likely weren’t exposed because they were encrypted and therefore “unlikely” to be revealed to cybercriminals, the streaming site has nonetheless recommended that users change their passwords, particularly if they have been using the same password across multiple services.

“We are actively investigating the incident. We apologize to those affected and are sorry that this has happened. We understand this is frustrating and upsetting to hear, and we take the trust you put in us very seriously,” the statement concluded.

‘Unauthorised third party’

Last week, we reported that Adobe had detected a security breach that was traced back to a vulnerability in the Magento Marketplace website. In an email sent to customers, the company said that this vulnerability allowed a “unauthorised third party” to access information from account holders.

The threat actor in this instance may have accessed usernames, email addresses, store usernames, billing and shipping addresses.

Adobe has said, however, that no financial data or user account passwords were compromised during the attack, though some commercial information was found to have been exposed.

Eva Short was a journalist at Silicon Republic