Learn about PurpleSec’s fully managed vulnerability management services.
Author: Dušan Trojanović / Last Updated: 01/16/2022
Reviewed By: Dalibor Gašić
View Our: Editorial Process
Table Of Contents
After a hacker offered information from more than 200 million users for sale on a hacking site, the well-known music streaming service Deezer, which has millions of subscribers worldwide, acknowledged a significant data breach that may have affected millions of Deezer members.
According to Deezer, the data breach happened in 2019 and the hackers were successful in stealing a snapshot of user data at a third-party service provider, which they have not worked with since 2020.
Deezer claimed that it had taken all necessary measures to cooperate with the third-party service provider and ensure that security measures were in place, including obtaining ISO 27001 and SOC 2 certifications, contractual obligations to secure data, GDPR-compliant data protection agreements, certificates of data destruction at the conclusion of their contract.
On November 6th, 2022, a 60GB CSV file containing non-anonymized personal information including 257,829,454 records of the 228 million Deezer members was posted by a user of a well-known breached forum.
According to data sample analysis, the exposed sensitive information included e-mail addresses, user first and last names, dates of birth, gender, location data including city and country, user ID, and registration date.
According to the hacker, millions of people in the following nations are impacted by this data leak, including the United States, Great Britain, France, Germany, Brazil, Mexico, Italy, Turkey, Columbia, and Guatemala.
No hacker organization took responsibility for the data breach, so far only available information is that a threat actor called published data on a breach hacking forum.
The price for the entire dump was not made public because the threat actor only shared it privately with other forum users through direct messaging, so it is further unknown. It’s also uncertain if anyone has purchased the data collection yet.
Before updating the post with a sample of 5 million lines, the hacker published a sample of 1 million stolen records.
Shortly after the hacker released this information, Deezer has been informed that one of their partners suffered a data breach in 2019 as a result of which a snapshot of non-sensitive user data was made public.
Deezer claims that the security measures are strong and in place, databases are safe as well as that this attack did not compromise any passwords or payment information.
To check whether your account has been compromised we can use a data breach notification service called ‘Have I Been Pwned’ has integrated the Deezer data leak into its system and has started informing its subscribers whose email addresses were discovered in the data breach collections.
The aim of targeted phishing scams is to steal your passwords or other sensitive information, so all Deezer users should be on the watch for these possible attempts.
To reduce the risk of being a credential-stuffing victim, users of Deezer are recommended to reset their passwords on the platform and do the same on any other online platform where they might be using the same credentials, as well to always use Two-factor authentication (2FA) on all the services you use to reduce the risk of falling victim to credential stuffing.
The best practice is to use a reliable password manager tool like the free and open-source tool KeePass to help you remember all of your passwords.
Related Articles:
Dušan is a Senior Security Engineer actively working as a penetration tester in DevSecOps projects. He is also an avid security researcher bringing forward analysis on the latest attacks and techniques.
Recent Attacks
Popular Articles
Ransomware Attacks
Preventing Attacks