8tracks internet radio and playlist service has been hit by an attack where over 18 million accounts' email and passwords have been stolen.
Only users who signed up with their email as a mode of login have their password in the database. If you signed up to 8tracks via Facebook or another social login authentication scheme (OAuth), then your password is not in the database that is being traded on darknet marketplaces.
8tracks' user passwords are hashed and salted, which means in theory that they cannot be seen nor by employees nor by attackers - as in opposition to storing passwords in plain text -.
Salting a hash means adding a random string of characters (called the salt) to either the beginning or the end of the password before encrypting it. The salt is different for each password in the database, which makes it more difficult to find it in rainbow tables.
However, the algorithm used by the internet radio/music social network for hashing the password is SHA-1. Unfortunately, this particular algorithm is vulnerable, as it is prone to length extension attacks. Basically, this means that your password is not safe as it could be decrypted by the attackers. You should change your 8tracks password now. Moreover, if this password is used for accounts of other services, you should change them as well.
How the passwords were obtained
It is by accessing an employee's Github account (a repository for code) that the attackers were able to get the email addresses and passwords.
We believe the vector for the attack was an employee’s Github account, which was not secured using two-factor authentication. We were alerted to this breach by an unauthorized password change attempt via Github, and it was verified independently by examining data from journalists and a security services company.
This sensitive information was stored in a backup of the webapp.
it did allow access to a system containing a backup of database tables, including this user data.
Once again, this example shows that even when you sign up to free online services, you should pick a unique password. Password reuse is a real problem when it comes to online service, as one hacked website is enough to put all the other accounts where you use a password in jeopardy.
Source: 8tracks blog post