The email addresses and passwords of nearly 7.5 million DatPiff users have been posted and made available for download on a popular hacking forum.
Launched in 2005, DatPiff is a popular mixtape hosting platform with over 15 million registered users. Unregistered users can also upload and download sample content at no cost.
No dates for when data breach actually occurred
Despite such a significant volume of data being made available, it remains unclear when DatPiff was actually affected by a data breach. According to a report from Bleeping Computer, DatPiff’s database was first sold privately and subsequently publicly on hacking forums as long ago as July 2020.
The database in question holds 7,476,940 member records, including:
- Email addresses
- Security questions
DatPiff database sales continued in late 2021
In November 2021, another cybercriminal or group began selling the above database on the same forum where it originally appeared in July 2020. However, the November 2021 version of the database included dehashed, plain-text passwords and email addresses.
Someone subsequently acquired this version of the database and released it to all forum users shortly afterwards. As such, these millions of DatPiff users are now at risk of seeing their DatPiff account compromised as well as potentially being targeted by phishing and other scams.
Cybercriminals could crack the users’ passwords because DatPiff was using the now obsolete MD5 algorithm to hash them.
Although the source of this specific breach remains unknown, a December 2021 Bleeping Computer report said that an attacker could access DatPiff using a vulnerability scanner, allowing them to access a server using an old database backup.
At the time of writing, DatPiff hasn’t yet notified users of the incident, made a public statement, or forced users to reset their passwords.
What should I do if I am a DatPiff user?
If you’re a DatPiff user, you should use the Have I Been Pwned service to discover if your email address was involved in the breach.
However, even if it wasn’t, given the potential vulnerabilities associated with DatPiff, it is strongly recommended that you:
- Change your DatPiff password
- Use a unique, strong password, ideally using a password manager to set and store your password
- Ensure you only use this password for DatPiff
- Use two-factor authentication (2FA) if it becomes available