mobile-logo

Previous

< Twitter Leaks Data On 200 Million Users

Security Insights / Data Breaches / Deezer Data Leak

Data Of 228 Million Deezer Users Stolen

 

Data Of 228 Million Deezer Users Stolen

 

Learn about PurpleSec’s fully managed vulnerability management services.

Author: Dušan Trojanović / Last Updated: 01/16/2022

Reviewed By: Dalibor Gašić

View OurEditorial Process

Table Of Contents

Summary Of The Attack

 

  • On November 6th, 2022, a hacker posted on a forum a 60GB CSV file containing personal information including that of the 228 million Deezer members.
  • According to Deezer, the data breach happened in 2019 during which hackers has stolen a user data snapshot by breaching one of their third-party partners.
  • Deezer claims that the security measures are strong and in place.
  • It is recommended to reset your passwords on the Deezer platform as well as enable two-factor authentication (2FA).

 

 

What Happened?

 

After a hacker offered information from more than 200 million users for sale on a hacking site, the well-known music streaming service Deezer, which has millions of subscribers worldwide, acknowledged a significant data breach that may have affected millions of Deezer members.

 

According to Deezer, the data breach happened in 2019 and the hackers were successful in stealing a snapshot of user data at a third-party service provider, which they have not worked with since 2020.

 

Deezer claimed that it had taken all necessary measures to cooperate with the third-party service provider and ensure that security measures were in place, including obtaining ISO 27001 and SOC 2 certifications, contractual obligations to secure data, GDPR-compliant data protection agreements, certificates of data destruction at the conclusion of their contract.

What Was The Impact?

 

On November 6th, 2022, a 60GB CSV file containing non-anonymized personal information including 257,829,454 records of the 228 million Deezer members was posted by a user of a well-known breached forum.

 

According to data sample analysis, the exposed sensitive information included e-mail addresses, user first and last names, dates of birth, gender, location data including city and country, user ID, and registration date.

 

228 million Deezer members was posted by a user of a well-known breached forum.

 

According to the hacker, millions of people in the following nations are impacted by this data leak, including the United States, Great Britain, France, Germany, Brazil, Mexico, Italy, Turkey, Columbia, and Guatemala.

enterprise vulnerability management services

Who Is Responsible For This Attack?

 

No hacker organization took responsibility for the data breach, so far only available information is that a threat actor called published data on a breach hacking forum.

 

The price for the entire dump was not made public because the threat actor only shared it privately with other forum users through direct messaging, so it is further unknown. It’s also uncertain if anyone has purchased the data collection yet.

 

Before updating the post with a sample of 5 million lines, the hacker published a sample of 1 million stolen records.

How Did The Attack Happen?

 

Shortly after the hacker released this information, Deezer has been informed that one of their partners suffered a data breach in 2019 as a result of which a snapshot of non-sensitive user data was made public.

 

Deezer claims that the security measures are strong and in place, databases are safe as well as that this attack did not compromise any passwords or payment information.

PurpleSec risk management platform

How Can This Attack Be Prevented?

 

To check whether your account has been compromised we can use a data breach notification service called ‘Have I Been Pwned’ has integrated the Deezer data leak into its system and has started informing its subscribers whose email addresses were discovered in the data breach collections.

 

The aim of targeted phishing scams is to steal your passwords or other sensitive information, so all Deezer users should be on the watch for these possible attempts.

 

To reduce the risk of being a credential-stuffing victim, users of Deezer are recommended to reset their passwords on the platform and do the same on any other online platform where they might be using the same credentials, as well to always use Two-factor authentication (2FA) on all the services you use to reduce the risk of falling victim to credential stuffing.

 

The best practice is to use a reliable password manager tool like the free and open-source tool KeePass to help you remember all of your passwords.

 

Related Articles:

 

enterprise penetration testing services

Dušan Trojanović - cyber security expert

Dušan Trojanović

Dušan is a Senior Security Engineer actively working as a penetration tester in DevSecOps projects. He is also an avid security researcher bringing forward analysis on the latest attacks and techniques.

Previous

Twitter Leaks Data On 200 Million Users

Next

Top Vulnerabilities Of 2022

All Topics

More Security Insights