Have I Been Pwned: Data Breach at DatPiff Might Affect Millions

Have I Been Pwned: Data Breach at DatPiff Might Affect Millions

Cracked passwords of around 7.5 million DatPiff members are available for sale online. Users may employ the Have I Been Pwned notification service to check whether they were affected by the data breach. DatPiff is a prominent mixtape hosting service with over 15 million users. It allows unregistered users to upload and download samples for free.

The date of the data breach is unknown. However, the DatPiff database was sold privately before being made public on hacking forums in July 2020. The compromised DatPiff database has 7,476,940 user records, including email addresses, passwords, usernames, and security questions.

Another data breach collector started selling the database on the same platform on November 30th. The passwords were de-hashed this time, revealing the plain-text passwords as well as the email address. Soon after, another threat actor made the database publicly available for free, allowing any other threat actor to exploit it.

Because DatPiff hashed the passwords in the database with the MD5 method, an outdated (1992) cryptographic hash function that is deemed antiquated and unsafe, especially for password security, the passwords in the database may be broken. To de-hash MD5 passwords, Crackers can decrypt MD5 passwords by comparing hashes to known MD5 wordlists or brute-forcing them with cracking tools.

In December, it was discovered that a threat actor used a website vulnerability scanner to get access to DatPiff’s server. However, the threat actor is thought to have hacked a server with obsolete database backups rather than the DatPiff website itself.

While this database is somewhat old, if you have a DatPiff account, you should update your password and use something unique and strong. Those who use the same password on many websites should update it to prevent being a victim of credential stuffing attacks.

Members of DatPiff may check the Have I Been Pwned data breach notification services for their email addresses to discover whether they are among the nearly 7 million people affected by the hack. DatPiff hasn’t issued a comment on the data breach event, hasn’t notified users, and hasn’t enforced a password reset as of this writing.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.