Deezer: data of 250 million users, stolen in 2019, leaked online

The names, email addresses and birth dates of millions of users of Deezer are just a click away from hackers. French streaming platform Deezer has been grappling for several weeks with the online publication of a file containing data from 250 million user accounts, apparently stolen in 2019 by a service provider.

“The data exposed includes basic information such as first and last name, date of birth, email address,” but does not include “sensitive” information such as passwords or payment details, Deezer said in a press release.

This data stolen only from Deezer does not allow a user to be attacked directly. But they can facilitate more elaborate attacks such as phishing, for example the attacker can use personal information to gain the trust of their target.

Deezer declined to confirm the number of user accounts in question, but according to Damien Bancal, author of the specialist blog Zataz.com257 million users’ data has been uploaded, amounting to more than 260 GB (gigabytes) of information.

American site restoreprivacy.comwhich had mentioned the case in November, indicated for its part that it had identified “more than 240 million” accounts in question, including 46.2 million users in France, 37.1 million in Brazil and 15.3 million in Germany.

Deezer warned Cnil, the French internet privacy watchdog, in November, and has been working “in close cooperation” with it. “We are in the process of contacting affected users by email to make them aware of the dangers of phishing and to encourage them to be vigilant,” Deezer explained. “We recommend that our users, as a precaution, change their passwords,” the company added.

Data on sale for a long time

The database of these stolen data in 2019 “was already on sale for a long time in private spaces” of hackers, “we heard about it” indirectly, explained Damien Bancal. And “on December 23,” more than three years after the original theft according to Deezer, “the file was made available for free” on an easily accessible site well known to pirates and hackers, he added.

After a data theft, the hacker first tries to “squeeze it like a lemon” by trying to extract the maximum value from it himself, or by selling it to some of the hacker’s VIPs, he explains. Then gradually the circle of people who have the file increases and the value of the data decreases. Until someone decides to put them online for free, especially for self-promotional purposes, the expert continued.

Deezer clarified that it no longer worked “as of 2020” with the provider targeted by the data theft. “Deezer’s security systems remain effective and our databases are secure,” the company explained in an English blog post published in November as the data began to emerge.

According to Troy Hunt, host of the site Haveibeenpwned, which warns internet users when their email address is being circulated among hackers, the Deezer leak is “the most significant” the site has dealt with since the discovery of a file containing data for nearly 530 million Facebook accounts in the first half of 2021.

The case comes in a tense general context for Deezer, which is trying to find its place against the giants of the sector such as Spotify, Apple Music. The share price fell to a level of around 3 euros, while it had been listed on the Paris Stock Exchange at 8.5 euros in July 2022.

Leave a Comment