Music-streaming service Deezer has owned up to a data breach, after hackers managed to steal the data of over 200 million of its users.
The data, which appears to have been stolen from one of Deezer’s third-party service providers in 2019, includes:
- First and last names
- Dates of birth
- Email addresses
- IP addresses
- Location data (City and Country)
- Join date
- User ID
According to RestorePrivacy which first reported on the breach, the hacker released a sample 5 million stolen records on a well-known hacking forum, claiming to have a 60GB stash of stolen data, including 228 million email addresses:
Today im selling the information of over 200+ million Deezer.com users from 2019 (specifically before september-october of 2019). It includes Users CSV which is a 60gb file with 257,829,454 records, of those records there are approx 228 million non anonymized unique emails. A CSV containing logged user sessions (IP Address and device). Profiles CS, and a folder named final containing 106 CV’s. Source is still unclear but it seems like Deezer hired a third party data analysis company to analyze their users. Ill wait for deezer to confirm where this came from lmao. First buyer also recieves access to where this came from (theres some extra stuff in the source of this).
Deezer published a support advisory about the breach in November, shortly after the hacker’s post.
Deezer describes the leaked data as “non-sensitive information”, and claims that no passwords or payment details have been exposed.
Non-sensitive? Hmm. At the very least the email addresses and other information could be used to create convicing phishing emails, and perhaps be abused by fraudsters to extract further details from Deezer users.
And I, for one, am disappointed to have not receive any notification about the breach from Deezer.
Back in the mists of time (2014), I had a Deezer account. I’d completely forgotten about it, but managed to log back into Deezer today and found my account was still active.
Thankfully I haven’t been paying a subscription all this time, but I am disgruntled that Deezer hasn’t reached out to affected users to inform them that the breach has occurred. Instead, the first I knew about it was when I received a notification from Troy Hunt’s Have I Been Pwned project.
Naturally I’ve changed my password as a precaution even though I haven’t used Deezer’s services for almost 10 years. When I get the chance, I’ll look into how I can delete my account entirely.
You may wish to consider doing the same if you don’t have any use for Deezer, or at the very least change your password.
As always, make it a strong one that’s hard to crack, and ensure that you’re not using it anywhere else on the internet.