Deezer has admitted to a data breach via a third party after a hacker posted data from 200+ million Deezer users for sale on a hacking forum. In an email to RestorePrivacy, Deezer confirmed the incident and explained they are working with French authorities.
Deezer, the popular music streaming service with millions of users around the world, has admitted to a large-scale data breach via a third-party service provider that potentially affects millions of Deezer users.
The company says the data breach occurred back in 2019, with the hackers managing to steal a snapshot of user data.
Based on RestorePrivacy’s analysis of the data sample, the exposed information includes:
- First and last names
- Dates of birth
- Email addresses
- Location data (City and Country)
- Join date
- User ID
According to Deezer, no passwords or payment details have been compromised as a result of this attack.
A user on the Breached hacking forums published a sample of the data on November 6, 2022. The user is claiming to have data from 240+ million Deezer users and has now released a 5 million user sample.
Shortly after the hacker released this information, Deezer admitted to a security breach via the support section of its website.
“This information came to light November 8, 2022, as a result of our ongoing efforts to ensure the security and integrity of our users’ personal information,” reads Deezer’s announcement.
“The data in question had been handled by a 3rd party partner that we haven’t worked with since 2020, and it was this partner that experienced the breach. Deezer’s security systems remain effective, and our own databases are secure.”
The hacker’s poster claimed intent to sell the data, saying the full 60 GB dump contains:
- almost 258 million records,
- 228 million email addresses in cleartext form, and
- log sessions, including IP addresses and device details.
The hacker is claiming that this data breach affects millions of users in the following countries:
- France: 46.2 million users
- Brazil: 37.1 million users
- Great Britain: 15.3 million users
- Germany: 14.1 million users
- Mexico: 11.1 million users
- Columbia: 9.0 million users
- Turkey: 6.9 million users
- United States: 6.4 million users
- Italy: 5.0 million users
- Guatemala: 4.4 million users
The requested price for the full dump wasn’t disclosed publicly as the threat actor only shared it via direct messages with other forum users, so it’s unspecified. Also, it is unknown if anyone has bought the dataset yet.
Several threat actors, including the forum’s operator, “Pompompurin,” have confirmed that the data is valid and appears authentic.
Analysis and verification of the data sample
RestorePrivacy obtained samples of the data for analysis and can confirm that all data appears authentic and matches publicly-available information from affected Deezer users.
While Deezer has admitted the data breach includes user names, dates of birth, and email addresses, our analysis shows it also contains location data (city and country), gender, and user ID for some users, as well as join date and source.
Below is a screenshot from the 5 million user sample released by the hacker.
In a statement to RestorePrivacy, Deezer confirmed the security breach, but would not comment on the scope.
The incident occurred at one of our former service providers in 2019, and Deezer’s own systems and databases are secure. The data exposed includes only basic information, such as email addresses. No passwords or payment details of our customers have been affected.-Deezer’s statement to RestorePrivacy
We are taking this incident very seriously and are currently working with the French data protection authorities to confirm the source of the incident and take any action that may be necessary.
In a follow-up statement to RestorePrivacy, Deezer has confirmed they are investigating the scope of the breach and how many users it affects.
Hackers can use this information to target Deezer users with hacking and fraud. The data could also be combined with other leaks and publicly-available information to create detailed user profiles, which can then be sold to others and/or used for fraudulent activity.
Users of Deezer are recommended to reset their passwords on the platform and do the same on any other online platform where they might be using the same credentials to reduce the risk of falling victim to credential stuffing.
Update December 8, 2022: The title of the article and subsequent paragraphs were updated to better reflect that this data breach happened via a third party service used by Deezer.