The French music streaming platform Deezer has been facing a major data leak for several weeks, known since the beginning of November 2022. If “no information concerning passwords or payment information has been discovered”, wanted to reassure the platform, the dissemination of the stolen data should lead to attempts to steal accounts and phishing attacks.
Initially, users who are victims of the data leak can thus expect attacks by stuffing the identifiers of their Deezer accounts, part of the identifier-password couple now being known. The platform has also advised its users to change their password.
Attackers would indeed likely attempt to exploit this well-known human weakness, namely the reuse of the same password on different platforms, before then reselling access to compromised accounts on black markets, a fraudulent trade already very practiced. .
But it is also to be expected, given the information that has leaked – the first and last name of the users, their date of birth, their e-mail address, their gender, their geographical location or their nickname on the platform – to see data leakage fueling phishing attacks. The broadcast archive indeed contains enough elements to make a malicious message more credible.
Volume blur
The precise volume of the data leak is still unclear, with more than 200 million users affected. According to the administrator of the Breached forum, devoted to data leaks, the 262 GB archive which was leaked for free at the end of December 2022 contains information relating to 257 million users.
But according to the Have I Been Pwned service, the leak concerns 229 million unique email addresses. Finally, the Restore privacy site, which had spotted the attempt to sell the data in November 2022, mentioned data relating to more than 240 million users.
The Internet user who launched the malicious sale also estimated that 46 million French users were affected by the leak. France, the platform’s home market, is logically the first country concerned, ahead of Brazil, Great Britain and Germany.
Awkward communication
Deezer, interviewed by Restore privacy at the beginning of December 2022, had confirmed the incident and indicated that it was working with the French authorities. For example, it has the legal obligation to notify the CNIL, the French personal data policeman. However, the company did not really shine with its communication.
It has thus chosen to communicate on the breach not by a press release, but by publishing a new article more discreetly in its assistance space. Deezer explains that he is the indirect victim of a data breach suffered by an undisclosed partner in 2019.
Another example of this clumsy communication: while the data leak concerns users from several countries, including many French people, the company simply refers its customers to a guide to the New York Times to learn about the risks related to the protection of personal data.
Deezer, launched in 2007, just went public this summer. The company, supported by the Pinault family and banker Matthieu Pigasse, claims 30% market share in France, but weighs little in the world, with 2% of the global streaming market, very far behind Spotify.
The platform has just changed president and vice-president of its board of directors, its two executives Guillaume d’Hauteville and Iris Knobloch having exchanged their positions.