Rap and hip-hop fans can download or stream music for free from mixtape provider DatPiff. You can do this without registering, but in order to participate in the associated community, interested parties must create an account. The “Have I Been Pwned“Project (HIBP) has now added around 7.5 million data records from e-mail addresses and plain text password pairs to its own database. They come from a data theft at DatPiff, which presumably took place in August 2021.
According to HIBP, the records of e-mail addresses, passwords, security questions and related answers, as well as user names, were offered for sale in digital underground forums. Except for the mail address, the information would have been available as an MD5 hash with static salt.
The procedure has long been considered unsafe. The data is now cracked in plain text, as an email address with a password, writes Have I Been Pwned in the notification of the leak.
Countermeasures
According to media reports, the data from the break-in is now also available free of charge in underground forums. DatPiff users should therefore change their password on the service immediately. If you use it with several services, you must of course also assign a new password there. In this case, however, all services should have their own password. The practical article “Generate good passwords and use them securely” provides information and tips on this.
You can quickly and easily check whether your own e-mail address has appeared in data leaks on the Have I Been Pwned homepage. A German alternative is provided by the Hasso Plattner Institute in Potsdam, where you can also check your email address.
(dmk)