Deezer admits data breach that potentially exposed over 220 million users’ info

France-based music-streaming platform Deezer has admitted being hit with a data breach that potentially compromised the information of over 220 million users.

The extent of the incident was revealed this by Have I Been Pwned, an online tool for checking whether personal data has been leaked in security breaches, in emails to users seen by MBW.

It estimates that 229,037,936 people’s data was compromised in an incident dating back nearly three years.

The leaked information included users’ dates of birth, email addresses, genders, geographic locations, IP addresses, names, spoken languages and/or usernames.

The hacking dates back to mid-2019 when a Deezer third-party partner fell victim to a breach. The incident exposed user data, which was then sold on a popular hacking forum.

“The data in question had been handled by a 3rd party partner that we haven’t worked with since 2020, and it was this partner that experienced the breach. Deezer’s security systems remain effective, and our own databases are secure,” Deezer said in November 2022 shortly after the information came to light.

Deezer confirmed that the exposed data included basic information such as first and last names, date of birth and email addresses. The company noted that no information regarding passwords or payment details has been discovered.

“The data in question had been handled by a 3rd party partner that we haven’t worked with since 2020, and it was this partner that experienced the breach. Deezer’s security systems remain effective.”

Deezer statement

As of the end of September 2022, Deezer had 9.4 million active subscribers, according to its investor filings.

“We have been made aware that one of our partners experienced a data breach in 2019, and a snapshot of our users’ non-sensitive information was exposed,” said Deezer.

RestorePrivacy which first reported on the breach, posted a screenshot of the hacker’s post on a cybercrime forum called Breached.

The post read:

Today [I’m] selling the information of over 200+ million users from 2019 (specifically before September-October of 2019). It includes Users CSV which is a 60gb file with 257,829,454 records, of those records there are approx. 228 million non anonymized unique emails. A CSV containing logged user sessions (IP Address and device). Profiles CS, and a folder named final containing 106 CV’s. Source is still unclear but it seems like Deezer hired a third party data analysis company to analyze their users. [I’ll] wait for Deezer to confirm where this came from lmao. First buyer also [receives] access to where this came from ([there’s] some extra stuff in the source of this).”

The hacker claims that the data breach affects users in France, Brazil, the UK, Germany, Mexico, Colombia, Turkey, the US, Italy and Guatemala.

Deezer — which lags far behind Spotify in terms of user numbers — has recently implemented a strategy of focusing on select key markets including France, Germany, the UK, Brazil and the US.

RestorePrivacy, a digital privacy advocacy group, said it obtained samples of the leaked data for analysis and confirmed that all data matches publicly-available information from affected Deezer users.

Deezer says it is unaware of any actual misuse of the data, but that it is “actively working to take appropriate action to safeguard the breached data.”

Deezer isn’t the only music streaming platform to suffer a data leak in recent years. Spotify in 2020 was hit with three security incident in just a span of months.

Spotify’s most recent breach, in December 2020, compromised the accounts of over 300,000 users after hackers used login credentials from a third party.

Spotify confirmed the breach at the time, saying the incident may have affected users’ email address, display name, password, gender and date of birth.

Music Business Worldwide