Thousands of British music fans have had their personal data stolen and are in danger of being targeted by online fraudsters, after the website of dance act Faithless was hacked.
Experts fear the breach of faithless.co.uk, affecting some 18,000 people, will be repeated on other music websites.
The hack, in which a single piece of malware was uploaded via a common hacking technique known as an SQL injection, was able to get past the website's defences.
It was spotted by internet security firm CyberInt, which monitors hacking activity. The breach became apparent last September but was only confirmed by the cyber security company yesterday.
“We have a system that collects cyber threat intelligence in real time, and as part of our work we uncovered a Faithless database being sold on the dark web, and we flagged it up with them,” Elad Ben-Meir, the company's vice president of marketing, told The Independent.
“I think they fixed the issue but they didn't quite go out and tell anyone that, so that leaves their fans, about 18,000 people, unaware that their private information has been compromised,” he added.
Faithless, regarded as pioneers in British dance music, have sold some 12 million records worldwide since they formed 20 years ago. The group, whose members go by the names Maxi Jazz, Sister Bliss and Rollo, are best known for their hits “Insomnia” and “God Is a DJ”.
The management company which represents the band did not respond to requests for comment yesterday. In the meantime, users of the Faithless website remain at risk of online fraud, according to CyberInt. Their data, which is understood to include personal email addresses and passwords used to access the site, is now being sold on the dark web.
“Although the actual details for sale on the dark web are likely to sell for only a few hundred dollars, they could end up costing unlucky music fans far more,” warned Mr Ben-Meir.
Even limited information, such as an email address combined with details of someone's musical tastes, can be valuable to cybercriminals.
“The fraudster will send the fan a spoof email asking the victim to open an attachment or follow a link to a fake phishing website,” said Mr Ben-Meir. “Once the attachment is opened or the link clicked, the hacker could gain additional information about the fan or event take control of the fan's computer.”
Music websites are attractive to cybercriminals as there is often a relationship of trust between fans and performers. Mr Ben-Meir suggests that the Faithless hack “could signal the start of a new trend of attacks on the UK's £3.5 billion-a-year music industry.”
Sony Music has been repeatedly hacked in the past five years, and the websites for artists such as Lady Gaga and Jessie J have also been targeted. The theft of data from the Faithless website is one of a series of high profile hacks in recent months, which have included the BBC news website and its iPlayer service. – The Independent