Cloud

6/30/2017
01:10 PM
100%
0%

8tracks Hit With Breach of 18 Million Accounts

Hackers attack Internet radio user database, gaining access to email addresses and encrypted passwords.

Hackers broke into Internet radio site 8tracks, resulting in a database breach of 18 million users' email addresses and encrypted passwords, according to an International Business Times report.

The online music site says in a blog post that only users who signed up for the service using their email got hit. Customers who rely on Google or Facebook to authenticate themselves  did not have their passwords pilfered, 8tracks says.

The company believes an employee's Github account, which did not have two-factor authentication, served as the attack vector. When Github alerted the 8tracks employee of an unauthorized attempt to change their account password, that is when 8tracks realized a breach had ocurred.

"We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data. We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system," 8tracks states in its blog.

Read more about the breach here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
7/3/2017 | 6:41:05 AM
TFA/MFA and trusting people to self-assess
Here's the thing about attacks like these. They rely on users' undereducation about where they and their employees are vulnerable -- through non-intuitive parts of the attack surface.

The employee here clearly didn't think his GitHub account was important enough to secure with MFA. But, at least for his/her employer, it was.

This is where security training for employees comes into play. It's not just about training employees in corporate policy straight out of the handbook. It's also about educating employees in self-assessment skills for managing security and risk in their day-to-day lives. 
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12294
PUBLISHED: 2018-06-19
WebCore/platform/graphics/texmap/TextureMapperLayer.cpp in WebKit, as used in WebKitGTK+ prior to version 2.20.2, is vulnerable to a use after free for a WebCore::TextureMapperLayer object.
CVE-2018-12519
PUBLISHED: 2018-06-19
An issue was discovered in ShopNx through 2017-11-17. The vulnerability allows a remote attacker to upload any malicious file to a Node.js application. An attacker can upload a malicious HTML file that contains a JavaScript payload to steal a user's credentials.
CVE-2018-12588
PUBLISHED: 2018-06-19
Cross-site scripting (XSS) vulnerability in templates/frontend/pages/searchResults.tpl in Public Knowledge Project (PKP) Open Monograph Press (OMP) v1.2.0 through 3.1.1-1 before 3.1.1-2 allows remote attackers to inject arbitrary web script or HTML via the catalog.noTitlesSearch parameter (aka the S...
CVE-2018-10811
PUBLISHED: 2018-06-19
strongSwan 5.6.0 and older allows Remote Denial of Service because of Missing Initialization of a Variable.
CVE-2018-10945
PUBLISHED: 2018-06-19
The mg_handle_cgi function in mongoose.c in Mongoose 6.11 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash, or NULL pointer dereference) via an HTTP request, related to the mbuf_insert function.