PII of more than 200 million Deezer users from 10 countries was hacked and published

After a hacker offered data from more than 200 million Deezer subscribers for sale on a hacking site, the music streaming service Deezer has confessed that its database was hacked by a third party. An email sent by Deezer verified the event and provided an explanation that the company is cooperating with French authorities.

The well-known music streaming service Deezer, which has millions of users all over the globe, has acknowledged that it suffered a significant data breach at the hands of a third-party service provider, which may have affected millions of Deezer subscribers.

The organization reports that the data breach happened in 2019, and that the hackers were only successful in stealing a snapshot of the users’ data.

According to the findings of RestorePrivacy’s study of the data sample, the following types of information were exposed:

Initials and surnames both
Dates and times of birth
Email addresses
Gender Location data (City and Country)
Join date
User ID

According to Deezer, there have been no reports of any passwords or payment information being stolen as a consequence of this incident.

On November 6, 2022, a member on the Breached hacking forums posted a sample of the data that had been compromised. The user claims to have data from more than 240 million Deezer users, and they have now provided a user sample consisting of 5 million people.

Soon after the hacker disclosed this information to the public, Deezer acknowledged the existence of a security issue on its help page on its website.

According to the release made by Deezer, “This information came to light on November 8, 2022 as a consequence of our continuous efforts to safeguard the security and integrity of our users’ personal information.”

“The data at issue had been managed by a third party partner that we haven’t dealt with since 2020, and it was this partner that was subject to the incident,” the statement said. The security mechanisms used by Deezer are still functioning properly, and our own databases are safe.

The ad left by the hacker said that the hacker intended to sell the data and listed the following as part of the whole 60 GB dump:

over 258 million records, 228 million email addresses in cleartext form, and log sessions containing IP addresses and device data. almost 258 million records.

According to the claims made by the hacker, this data breach affects millions of people in each of the following countries:

France: 46.2 million users
Brazil: 37.1 million users
British users total 15.3 million
14.1 million users in Germany
Mexico: 11.1 million users
Columbia: 9.0 million users
Turkey: 6.9 million users
6.4 million users in the U.S.
5.0 million users in Italy
Guatemala: 4.4 million users

Although Deezer has acknowledged that the data breach includes user names, email addresses, and birth dates, our investigation has shown that it also includes location data (including city and country), gender, and user ID for certain users, in addition to the join date and source.

Hackers might use this information to get access to users’ Deezer accounts and commit fraud against them. The data might potentially be linked with information obtained from previous breaches and information that is accessible to the public in order to generate extensive user profiles, which could subsequently be sold to other parties or used in fraudulent behavior.

Users of Deezer are encouraged to change their passwords on the service, as well as change their passwords on any other online platforms where they could be using the same credentials. This will help lessen the likelihood that they will become victims of credential stuffing.