Deezer has admitted to a data breach via a third party after a hacker posted data from 200+ million Deezer users for sale on a hacking forum. In an email to RestorePrivacy, Deezer confirmed the incident and explained they are working with French authorities.
Deezer, the popular music streaming service with millions of users around the world, has admitted to a large-scale data breach via a third-party service provider that potentially affects millions of Deezer users.
The company says the data breach occurred back in 2019, with the hackers managing to steal a large amount of user data that is now freely available on the dark web.
Based on RestorePrivacy’s analysis of the data sample, the exposed information includes:
- First and last names
- Dates of birth
- Email addresses
- Gender
- Location data (City and Country)
- Join date
- User ID
According to Deezer, no passwords or payment details have been compromised as a result of this attack.
A user on the Breached hacking forums published a sample of the data on November 6, 2022. The user is claiming to have data from 240+ million Deezer users and has now released a 5 million user sample.
Shortly after the hacker released this information, Deezer admitted to a security breach via the support section of its website.
“This information came to light November 8, 2022, as a result of our ongoing efforts to ensure the security and integrity of our users’ personal information,” reads Deezer’s announcement.
“The data in question had been handled by a 3rd party partner that we haven’t worked with since 2020, and it was this partner that experienced the breach. Deezer’s security systems remain effective, and our own databases are secure.”
The hacker’s poster claimed intent to sell the data, saying the full 60 GB dump contains:
- almost 258 million records,
- 228 million email addresses in cleartext form, and
- log sessions, including IP addresses and device details.
Source: RestorePrivacy.com
The hacker is claiming that this data breach affects millions of users in the following countries:
- France: 46.2 million users
- Brazil: 37.1 million users
- Great Britain: 15.3 million users
- Germany: 14.1 million users
- Mexico: 11.1 million users
- Columbia: 9.0 million users
- Turkey: 6.9 million users
- United States: 6.4 million users
- Italy: 5.0 million users
- Guatemala: 4.4 million users
The requested price for the full dump wasn’t disclosed publicly as the threat actor only shared it via direct messages with other forum users, so it’s unspecified. Also, it is unknown if anyone has bought the dataset yet.
Several threat actors, including the forum’s operator, “Pompompurin,” have confirmed that the data is valid and appears authentic.
Analysis and verification of the data sample
RestorePrivacy obtained samples of the data for analysis and can confirm that all data appears authentic and matches publicly-available information from affected Deezer users.
While Deezer has admitted the data breach includes user names, dates of birth, and email addresses, our analysis shows it also contains location data (city and country), gender, and user ID for some users, as well as join date and source.
Below is a screenshot from the 5 million user sample released by the hacker.
In a statement to RestorePrivacy, Deezer confirmed the security breach, but would not comment on the scope.
The incident occurred at one of our former service providers in 2019, and Deezer’s own systems and databases are secure. The data exposed includes only basic information, such as email addresses. No passwords or payment details of our customers have been affected.
-Deezer’s statement to RestorePrivacy
We are taking this incident very seriously and are currently working with the French data protection authorities to confirm the source of the incident and take any action that may be necessary.
In a follow-up statement to RestorePrivacy, Deezer has confirmed they are investigating the scope of the breach and how many users it affects.
Hackers can use this information to target Deezer users with hacking and fraud. The data could also be combined with other leaks and publicly-available information to create detailed user profiles, which can then be sold to others and/or used for fraudulent activity.
Users of Deezer are recommended to reset their passwords on the platform and do the same on any other online platform where they might be using the same credentials to reduce the risk of falling victim to credential stuffing.
Update December 8, 2022: The title of the article and subsequent paragraphs were updated to better reflect that this data breach happened via a third party service used by Deezer.
Google Gives Pixel 7 Users VPN by Google One at no Extra Cost
I have the same problem my Info is on the dark Web since 2019 I haven’t been on this deezer
I would be with you!! My data are there, too over Deezer. But what can we do now??
i too have had my info shared to darkweb by deezer i would like to form a class action lawsuit against Deezer for lack of action in notifying users about this breech i will need maybe 20 or 30 others in the US who would like to join us
forsure
Me too
Let’s just do it!! Mine are out there,too and I am a 55 year old female. F Deezer!! Sorry but I am really angry. LETS DO IT, pls contact me. I am in Europe. Let’s make a mass- court case against them. How could they give our data out of their hand’s??
Best whishes and PLS let’s do something against it,
Gets A
I’m in Ontario Canada and Deezer breached my Data as well as I learned through Reklaim via Have I Been PWNed and I wnat to join any class action suit I can because this needs to be dealt with
I’m with you
i didnt do this
It looks like you are to young
they have mine too and would join this class action suit!
I’m in Ontario Canada and Deezer breached my Data as well as I learned through Reklaim via Have I Been PWNed and I wnat to join any class action suit I can because this needs to be dealt with
I’m with you on this
Facts.
I only just found out about this cos I done a dark Web scan
im with you my information is on it as well
bruh why did i sign up for this used it like once
Thanks for letting the customers know about the breach Deezer NOT!!! I only found out about it because I checked my security on a “have u been pwned” type check so it’s nice to have to find out on my own that I may have a security leak of basically ALL my personal details!!! What the hell Deezer this is terrible customer service what a disgrace. No wonder I have so many unknown sources sending me a multitude of emails etc and that’s only what I know about so far….. not good enough at all.
Boa tarde.
Venho por meio deste, manifestar a minha indignação, que só hoje, (25/03/2023), ás 12:27m, percebi que meu e-mail, foi violado, através de um hacker segundo, noticiado na mesma data acima, (g1, e Globo), e pele Empresa (DEEZER), a quem eu busquei para saborear das músicas diversas, e um lazer para a minha vida, e acredito que outras pessoas foram também afetadas, acabando assim, com todas ás nossas expectativas, nos prejudicando emocionalmente, psicologicamente e pessoal, além, do profissional. Quero uma resposta urgente!
Quero um retorno sobre essa violação.
Preciso de uma resposta urgente
je suis pas du tout d’accord par la méthode D’utilisation de mes données personnelles, je réclame à deezeer de bien vouloir me faire parvenir les informations nécessaires afin que je puisse vous faire confiance.
so I’m just now figuring out about this data breach and not by the company as it should be but because I out my email into the ” Have I been pwned”” search bar. So now what happens…!!!?????!!!
Ich wüsste nicht, das ich bei Deezer ein Konto habe. Ich bekomme auch als eine Nachricht, das Deezer meine E-Mail Adresse geklaut hat.
wenn du Vodafonekunde warst, solltest du dich da bedanken!
I no longer remembered that I had a Deezer account. Only now, until I saw the data breach and after looking through my old emails, I have found my Deezer subscription back in 2012!
Surely many other people don’t remember their Deezer subscription. Oh how long it took to discover this data theft!
I’ve never had a Deezer account and lifelock just notified me Deezer sold my information to the dark web. This company needs to be held accountable and we need to file a lawsuit against them
I’ve never made an account on Deeze! There is definitely an error; my data was stolen on Twitter and not on Deezer… I think there is a lot of confusion in this news…
I didn’t even remembered that i had an account on Deezer until i saw this thing about the data breach, and when i was going to delete the account, it didn’t even existed anymore, tf
I had an account on deezer. How can I see the information of me that is exposed in the leak?
Have i been pwned
I just found out all the same of mine was breached 01/2023 on the dark web as well a lot of searches go nowhere I hear of deezer admitting it and cannot find a administrator for the payout and hiring a grimy lowlife excuse of a lawyer am I interested in as I’m not paying a ambulance chasing lazy attorney 4 dollars or 40 percent if what I have coming because they are preying lazy a.. pieces of s… that the company should pay and from the looks of all searches they go to some slinbag attorney who has their hands out for well over 40 percent which should be criminal and no place can I find how to get directly to deezer payout administrator to directly get paid from especially since I’m severely mentally I’ll and why pay a dime to some lazy ambulance excuse of attorney who prays on other and pays to have themselves come back in a search over this and has the contact or how to contact the payout administrator over this by paying google to come up in a search to contact their administrator to get 100 percent of the settlement for me does anybody have the administrators contact info so I can tell contact th as t person on my own? Thank you
France only has 67.5 million people, how could 46.2 million French people have been affected by this leak?
Deezer IS in alliance with telecom masters in France yes most of the people have Deezer
I have Tidal in France 😎
Back in the days I used to use a lot of junk email adress in order to have the free trial. May be i’m not the only one
I made an account on deezer in like 2012 wtf is this
The service is not even available here, I think several centuries ago I tried to sign up then, only then they showed that the service is not available here.
The fact that I got an email for this from Have I Been Pwned makes me angry, they won’t even provide any and all services yet they still gobbled up all the info I fed and sat on it for centuries.
Says I’ve been pwned but I’ve never heard of this site nor do i have an account . . .
same
Same here… :-/
Same
Bonjour
Je vous prie de retirer de votre application mon adressee-mail car ma protection VIRALE DE MON SMARTPHONE me demande chaque jour que DEEZER est infecté.
Merci de me rendre ce service.
Cordialement.
Pierre Dal Moro
Sven Sir please also create a section for secure digital note taking applications. Though many of use store information like random web pages from news websites and recipes etc which need not to be super secured, still I believe secure and private end to end encrypted note service might be important for some.
I have been an Evernote premium subscriber since years which is very a nice and useful service but is not end to end encrypted. Few weeks back I subscribed to a service which claims to provide end to end encryption for Notes and attachments. It is called Notesnook (https://notesnook.com/).
There are some solutions for this in our Google Alternatives guide. CryptPad might work for you.
what can i do about this
One can avoid sensitive information leak as in this case by using a VPN all the time to avoid location sharing location data and also using shadow email aliases from services like Simple Login, Duckduckgo’s new service and Firefox Relay. Or if not using shadow email aliases then at least using a separate email address for subscribing to services and using different email address for banks etc and this is what I do as I don’t want to pay for a premium service using shadow or temporary email address but I do use email aliases for securing my other sensitive accounts.
Other that location hiding via VPN and using a separate email alias dedicated to few selected category of services, the leak of other details can be made ineffective by not giving correct date of birth but an approximate one like 1st January 2010 and incorrect names.
Obviously asking for location via a billing address or app permissions bypasses a VPN.