The hacked passwords of nearly 7.5 million DatPiff members are sold online, and users can check if they are part of the data breach through the Have I Been Pwned notification service.
DatPiff is a popular mixtape hosting service used by over 15 million users, allowing unregistered users to upload or download samples for free.
The DatPiff data breach
It is not known when the data breach occurred, but the DatPiff database was first sold privately and then publicly sold on hacking forums in July 2020.
The stolen DatPiff database contains 7,476,940 member records, including a user’s email address, password, username, and security question.
On November 30, another data breach collector started selling the database again on the same hacking forum. However, this time the passwords have been hashed to include the plain text passwords as well as the email address.
Soon after, another threat actor released the database completely free of charge, allowing any other threat actor to use the information.
Database passwords could be cracked because DatPiff hashed them with the MD5 algorithm, an old cryptographic hash function (1992) considered obsolete and insecure, especially for securing passwords.
To crack MD5 passwords, hackers can compare hashes to known MD5 wordlists or use cracking tools to force brute-force passwords.
BleepingComputer was informed in December that a malicious actor had hacked DatPiff using a website vulnerability scanner that allowed it to gain access to the server.
However, the threat actor is believed not to have breached the DatPiff website but rather a server with an old database backup.
What should DatPiff users do?
Although this database is very old, if you have an account on DatPiff, you are strongly advised to reset your password and use a unique and strong one.
Those who use the same password on other websites should change it to avoid falling victim to credential stuffing attacks.
DatPiff members can search for their email addresses on the Have i been condemned data breach notification services to see if they are among the more than 7 million users affected by this breach.
As of this writing, DatPiff has not released a statement on this data breach incident, sent no notifications to users, and has not forced a password reset.
Bleeping Computer has contacted the platform and we will update this article as soon as we receive a comment from them.