Data Breach Hits 7 Million DatPiff Users, Hackers Sell Stolen Credentials

Published: March 14, 2022 on our newsletter Security Fraud News & Alerts Newsletter.



DatPiff, the popular mixtape hosting platform with over 15 million users recently suffered a data breach exposing the PII of more than 7 million of their fans. Stolen DatPiff user data includes passwords, usernames, email addresses, and security questions. That’s bad enough, but the remainder of their database, an additional 7+ million users, are still at risk of their PII (personally identifiable information) being abused as well.


It’s an ongoing mystery when this latest DatPiff data breach started to hatch. Bleeping Computer finds the breach could have started as far back as two years ago with other activity involving DatPiff’s user database.


Bleeping Computer reports that in July of 2020, the database was sold privately first to a data breach collector and then sold publicly on underground hacker forums that same month. Three months later, a different data breach collector sold the data again on the same hacker website. Only this time, the encrypted passwords were already dehashed and ready to use for the right price. Password crackers dehash encrypted passwords and other PII to extract the easy-to-use and ready-to-abuse plain text.



Can You Hear The Crickets?


A search of DatPiff’s website News page has no mention of any data hack involving their platform or its users. In fact, DatPiff has yet to acknowledge the latest data breach even occurred. There have been no statements or notifications warning users about the breach, something security experts find irresponsible for many reasons. Most concerns have to do with the data of victimized users being at continued risk and its vulnerability to further abuse by bad actors.


Stepping into the DatPiff alert void is the Have I Been Pwned website. It welcomes the millions of breached DatPiff users to their site where they can easily find out if their data’s been compromised. It searches where, when and what data was compromised in any number of breaches. It’s a no-funny-business, totally legitimate website that even the FBI relies on to help with investigations. Anyone can access it free of charge to find out if their email address has been compromised in a data breach.


Other security steps are recommended for data theft victims. If your email address was stolen, be keenly aware of targeted phishing attempts using your PII as a lure. Even if you find your data hasn’t yet been compromised in a particular breach, it still could be. Immediately change your password and username on the breached website, making them useless to a hacker. If that password or username has also been used for other accounts (which you should not do), don’t wait to change them, too.


Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com



1 view0 comments