What Happened
In June 2017, the online music streaming and playlist service 8tracks suffered a data breach affecting approximately 18 million user accounts when attackers exploited an unsecured employee GitHub account that lacked two-factor authentication. The compromised data included email addresses, usernames, and salted SHA-1 password hashes for users who registered with email and password rather than Google or Facebook authentication; users who signed up via third-party services were not affected. The attackers gained access to a backup system containing the user database through the GitHub account, which the company discovered when notified of an unauthorized password change attempt. In response, 8tracks secured the compromised account, invalidated affected passwords, removed the exposed GitHub repository, enforced two-factor authentication on GitHub, and improved password encryption practices.
