Data Of 228 Million Deezer Users Stolen

Contents

Summary Of The Attack

  • On November 6th, 2022, a hacker posted on a forum a 60GB CSV file containing personal information including that of the 228 million Deezer members.
  • According to Deezer, the data breach happened in 2019 during which hackers has stolen a user data snapshot by breaching one of their third-party partners.
  • Deezer claims that the security measures are strong and in place.
  • It is recommended to reset your passwords on the Deezer platform as well as enable two-factor authentication (2FA).
.

What Happened?

After a hacker offered information from more than 200 million users for sale on a hacking site, the well-known music streaming service Deezer, which has millions of subscribers worldwide, acknowledged a significant data breach that may have affected millions of Deezer members.

According to Deezer, the data breach happened in 2019 and the hackers were successful in stealing a snapshot of user data at a third-party service provider, which they have not worked with since 2020.

Deezer claimed that it had taken all necessary measures to cooperate with the third-party service provider and ensure that security measures were in place, including obtaining ISO 27001 and SOC 2 certifications, contractual obligations to secure data, GDPR-compliant data protection agreements, certificates of data destruction at the conclusion of their contract.

What Was The Impact?

On November 6th, 2022, a 60GB CSV file containing non-anonymized personal information including 257,829,454 records of the 228 million Deezer members was posted by a user of a well-known breached forum.

According to data sample analysis, the exposed sensitive information included e-mail addresses, user first and last names, dates of birth, gender, location data including city and country, user ID, and registration date.

228 million Deezer members was posted by a user of a well-known breached forum.

According to the hacker, millions of people in the following nations are impacted by this data leak, including the United States, Great Britain, France, Germany, Brazil, Mexico, Italy, Turkey, Columbia, and Guatemala.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

Who Is Responsible For This Attack?

No hacker organization took responsibility for the data breach, so far only available information is that a threat actor called published data on a breach hacking forum.

The price for the entire dump was not made public because the threat actor only shared it privately with other forum users through direct messaging, so it is further unknown. It’s also uncertain if anyone has purchased the data collection yet.

Before updating the post with a sample of 5 million lines, the hacker published a sample of 1 million stolen records.

How Did The Attack Happen?

Shortly after the hacker released this information, Deezer has been informed that one of their partners suffered a data breach in 2019 as a result of which a snapshot of non-sensitive user data was made public.

Deezer claims that the security measures are strong and in place, databases are safe as well as that this attack did not compromise any passwords or payment information.

How Can This Attack Be Prevented?

To check whether your account has been compromised we can use a data breach notification service called ‘Have I Been Pwned’ has integrated the Deezer data leak into its system and has started informing its subscribers whose email addresses were discovered in the data breach collections.

The aim of targeted phishing scams is to steal your passwords or other sensitive information, so all Deezer users should be on the watch for these possible attempts.

To reduce the risk of being a credential-stuffing victim, users of Deezer are recommended to reset their passwords on the platform and do the same on any other online platform where they might be using the same credentials, as well to always use Two-factor authentication (2FA) on all the services you use to reduce the risk of falling victim to credential stuffing.

The best practice is to use a reliable password manager tool like the free and open-source tool KeePass to help you remember all of your passwords.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

Get the week’s best
cybersecurity content.

Related Breaches