Hackers broke into Internet radio site 8tracks, resulting in a database breach of 18 million users' email addresses and encrypted passwords, according to an International Business Times report.
The online music site says in a blog post that only users who signed up for the service using their email got hit. Customers who rely on Google or Facebook to authenticate themselves did not have their passwords pilfered, 8tracks says.
The company believes an employee's Github account, which did not have two-factor authentication, served as the attack vector. When Github alerted the 8tracks employee of an unauthorized attempt to change their account password, that is when 8tracks realized a breach had ocurred.
"We do not believe this breach involved access to database or production servers, which are secured by public/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data. We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system," 8tracks states in its blog.
Read more about the breach here.