Cracked passwords of around 7.5 million DatPiff members are available for sale online. Users may employ the Have I Been Pwned notification service to check whether they were affected by the data breach. DatPiff is a prominent mixtape hosting service with over 15 million users. It allows unregistered users to upload and download samples for free.
The date of the data breach is unknown. However, the DatPiff database was sold privately before being made public on hacking forums in July 2020. The compromised DatPiff database has 7,476,940 user records, including email addresses, passwords, usernames, and security questions.
Another data breach collector started selling the database on the same platform on November 30th. The passwords were de-hashed this time, revealing the plain-text passwords as well as the email address. Soon after, another threat actor made the database publicly available for free, allowing any other threat actor to exploit it.
Because DatPiff hashed the passwords in the database with the MD5 method, an outdated (1992) cryptographic hash function that is deemed antiquated and unsafe, especially for password security, the passwords in the database may be broken. To de-hash MD5 passwords, Crackers can decrypt MD5 passwords by comparing hashes to known MD5 wordlists or brute-forcing them with cracking tools.
In December, it was discovered that a threat actor used a website vulnerability scanner to get access to DatPiff’s server. However, the threat actor is thought to have hacked a server with obsolete database backups rather than the DatPiff website itself.
While this database is somewhat old, if you have a DatPiff account, you should update your password and use something unique and strong. Those who use the same password on many websites should update it to prevent being a victim of credential stuffing attacks.
Members of DatPiff may check the Have I Been Pwned data breach notification services for their email addresses to discover whether they are among the nearly 7 million people affected by the hack. DatPiff hasn’t issued a comment on the data breach event, hasn’t notified users, and hasn’t enforced a password reset as of this writing.