Data of over 200 million Deezer users stolen, leaks on hacking forum

Data of over 200 million Deezer users leaks on hacking forum

Music-streaming service Deezer has owned up to a data breach, after hackers managed to steal the data of over 200 million of its users.

The data, which appears to have been stolen from one of Deezer’s third-party service providers in 2019, includes:

  • First and last names
  • Dates of birth
  • Email addresses
  • IP addresses
  • Gender
  • Location data (City and Country)
  • Join date
  • User ID

According to RestorePrivacy which first reported on the breach, the hacker released a sample 5 million stolen records on a well-known hacking forum, claiming to have a 60GB stash of stolen data, including 228 million email addresses:

Today im selling the information of over 200+ million users from 2019 (specifically before september-october of 2019). It includes Users CSV which is a 60gb file with 257,829,454 records, of those records there are approx 228 million non anonymized unique emails. A CSV containing logged user sessions (IP Address and device). Profiles CS, and a folder named final containing 106 CV’s. Source is still unclear but it seems like Deezer hired a third party data analysis company to analyze their users. Ill wait for deezer to confirm where this came from lmao. First buyer also recieves access to where this came from (theres some extra stuff in the source of this).

Deezer published a support advisory about the breach in November, shortly after the hacker’s post.

Deezer describes the leaked data as “non-sensitive information”, and claims that no passwords or payment details have been exposed.

Non-sensitive? Hmm. At the very least the email addresses and other information could be used to create convicing phishing emails, and perhaps be abused by fraudsters to extract further details from Deezer users.

And I, for one, am disappointed to have not receive any notification about the breach from Deezer.

Sign up to our free newsletter.
Security news, advice, and tips.

Back in the mists of time (2014), I had a Deezer account. I’d completely forgotten about it, but managed to log back into Deezer today and found my account was still active.

Thankfully I haven’t been paying a subscription all this time, but I am disgruntled that Deezer hasn’t reached out to affected users to inform them that the breach has occurred. Instead, the first I knew about it was when I received a notification from Troy Hunt’s Have I Been Pwned project.

Have I Been Pwned notification of Deezer data breach
Have I Been Pwned notification of Deezer data breach

Naturally I’ve changed my password as a precaution even though I haven’t used Deezer’s services for almost 10 years. When I get the chance, I’ll look into how I can delete my account entirely.

You may wish to consider doing the same if you don’t have any use for Deezer, or at the very least change your password.

As always, make it a strong one that’s hard to crack, and ensure that you’re not using it anywhere else on the internet.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.