A staffer of social music streaming site 8Tracks is having a really bad day: a bit of GitHub carelessness has leaked 18 million user accounts.
The good news: the service assures users passwords in the database were salted and hashed – however, the usual “don’t re-use passwords” still applies.
People who signed up to 8Tracks via Google or Facebook aren’t affected.
As the company explains in its fess-up post, the source of the leak was an inadequately-secured GitHub repository: an employee wasn’t using two-factor authentication. 8Tracks found out when there was an unauthorised attempt at a password change, and on investigation it found backups of database tables in the staffer’s repo.
“We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system,” the post says.
“We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption”.