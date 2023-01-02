At best deals,

no tail stuck

The year started with bad news for users of deezer. This Monday (2), the Have I Been Pwned notified a data leak that reached 229 million accounts of the music streaming platform, affecting Brazilians and people from other countries. The information, including date of birth, email and IP address, comes from a backup file exposed in 2019.

Deezer (Image: Vitor Pádua / Tecnoblog)

The alert was distributed to those affected in the early hours of Monday (2).

According to the notification, on April 22, 2019, the streaming platform was the victim of a data leak, but the case was only recognized at the end of 2022.

“The breach dates back to a mid-2019 backup exposed from a third-party partner that was later sold and widely redistributed on a popular hacking forum,” the leak’s description reads.

In all, the exhibition reached 229,037,936 accounts of various nationalities.

The list of compromised information includes personal data of different natures. This is the case with dates of birth, names and Deezer usernames.

Email addresses, IP, languages ​​spoken and geographic location (city and country) were also exposed.

Have I Been Pwned notification to Deezer users (Image: Reproduction/Tecnoblog)

Data from Brazilians were exposed

Further details were reported by the RestorePrivacy in December. According to the specialized website, the information, which weighs 60 GB, has been available on a forum since November 2022.

Brazilians appear among most of those affected. According to the report, 37.1 million accounts affected by the leak were registered in Brazil. But the country remains in second place, behind only France, which had 46.2 million profiles reached.

Faced with the situation, Deezer issued a statement on a support page: “We were informed that one of our partners suffered a data breach in 2019 and a snapshot of our users’ non-confidential information was exposed”, they announced.

Also according to the statement, the supplier no longer works with the streaming platform since 2020.

“Deezer’s security systems remain effective and our own databases are secure,” they stressed.

Deezer (Image: Freestockorg/Pexels)

Leak is among the biggest in recent years

The person responsible for Have I Been PwnedTroy Hunt, made some remarks about the case on his Twitter profile this monday (2).

According to the security researcher, this is the biggest leak reported by the platform since Facebook’s phone numbers were scraped in April 2021. In the wake of tweets, Hunt noted that there had been a report of security flaws in Deezer, coming from a security analyst. safety:

“Interestingly, when looking through my records on this case, I found a tweet from late 2019 about a possible security breach,” he said. “This is an information security guy, but your dates may not line up as the most recent timestamp I found in the data was April 2019.”

In fact, the quoted tweet was published in December 2019. Meanwhile, the leak records point to April 2019.

Even so, analyst Elliot Reynolds warned Deezer that he found his credentials “dumped online in plain text”. Fortunately, the streaming platform responded right away: “thanks for your feedback, I will pass it on to the responsible team”.

We just don’t know if the problem was, in fact, solved.

Deezer App (Image: André Fogaça/Tecnoblog)

Can Deezer be penalized for the leak?

wanted by Technoblogthe partner in the Data Protection area at FAS Advogados, Danilo Roque, explained that the penalties provided for by the LGPD only started to take effect in 2021. Therefore, as the incident happened in 2019, “Deezer would not be subject to the sanctions of the data protection”.

However, this does not mean that the company is immune to possible penalties. Roque said that if any user has suffered damages due to the leak, he may seek compensation.

However, the damage, even if moral, needs to be really proven.

“We cannot forget, however, that, as we are talking about a consumption relationship”, he concluded. “There is a possibility that Deezer will be fined based on the Consumer Protection Code (CDC).”

What does Deezer say?

wanted by Technoblog, Deezer confirmed the leak, but stressed that no sensitive data was exposed. Check out the position in full:

“The leak happened when a partner, which we haven’t worked with since 2020, suffered a data breach. However, no sensitive information, such as passwords and CPFs, was exposed. Our database remains secure. But we always recommend that users update their passwords regularly to keep their data even more secure,” they explained.

Updated at 2:41 pm to include Deezer placement.