Answered

Tell me about your data breach


Userlevel 1

...the one that happened to Deezer in 2019 but has only recently been reported by HaveIBeenPwned. I can’t seem to find anything on this site about it. I haven’t received email from Deezer about it. Yet it evidently affects 204 million Deezer customers.

icon

Best answer by Jaime. 6 January 2023, 11:42

View original

This topic has been closed for comments - the content may no longer be relevant or up-to-date, so please search for keywords so that you can find a newer post or look below for a direct link

17 replies

Hey @barbless 

Since the beginning of November 2022, this message can be found on deezer's support pages:

https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach

Unfortunately, I can't tell you why no info mail was sent.

Userlevel 1

Thanks @dee_dirk ! Wouldn’t have noticed this, since it’s labeled Third Party.

Just saying, it is disappointing that Deezer is taking this tack - labeling it as a third party problem and doing almost nothing to alert their customers. After all, it is their data from their customers. The way to alert customers is not to hide an article about a breach in Support pages, it is to actually contact all the users.

It’s laughable that they “are actively working to take appropriate action to safeguard the breached data.” The data is breached and being sold - it’s no longer in their control.

It’s distressing that they failed to identify all of the specifics about the breached data. They say “basic information such as first and last names, date of birth, and your email address”. But actually it includes those fields and: gender, location data (City and Country), join date, and User ID. All of those fields can be used to craft a very convincing targeted phishing message.

And despite their attempt to portray this as someone else’s fault, it is actually their fault since they evidently failed to properly manage their third-party relationship. (Meaning, their contract ought to have required the third-party delete Deezer’s data when the contract was ended.)

I fully agree with @barbless. Did you try to request anything from their customer service directly?

i also feel so disappointed, such amateur move from their side that its really annoying treating users like that 

Hello,

I have also just been alerted about that, since I got email from Firefox Monitor.

Is it something new that we are not aware of? I assume there should be very rigid reaction from Deezer asap.

 

 

...the one that happened to Deezer in 2019 but has only recently been reported by HaveIBeenPwned. I can’t seem to find anything on this site about it. I haven’t received email from Deezer about it. Yet it evidently affects 204 million Deezer customers.

Nash they won't do a thing about it, some message got hidden in the bowls of the Deezer archives and they're happy to wash their hands of it and carry on trying to rinse their customers for everything they can get.

This is the email I received

Hello,

I have also just been alerted about that, since I got email from Firefox Monitor.

Is it something new that we are not aware of? I assume there should be very rigid reaction from Deezer asap.

 

 

This is the email I received


I received an email and just like @djlevan I was expecting somewhere something from Deezer on this but nothing. 
I asked them on Tweeter account, no reply. 

Worrying as that if a data breach is detected as per GDPR (and irrespective of who owns the company if a user is in the EU/UK Deezer has to abide by these laws) the LAW states under Article 33 GDPR :

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it “

I received no notification from Deezer and like others received a notification from Firefox

 

If they had a third party they shared the data with and this was compromised Deezer still, under Article 33, has a legal requirement to let people know.

I would like to know why we weren’t told of a breach - even if it’s third party if it involves data Deezer holds or processes they are legally bound to inform those affected

To find out of a breach in 2019 through a separate service is a clear breach of the law. Why did Deezer think they could not inform us and break international law in multiple countries?

@katy8439 Totally aligned with you.

They are the data processor and should take care of their processors. Then should have warned the data subject.

It is higly worrying that they did not feel necessary to inform us.

I have asked them to justify the reason for deciding to not let the data subject been informed. Depending on their answer, I will raise the concern to the CNIL, unless I am mistaklen, this is the authority they are depending from.

https://www.cnil.fr/fr/agir

To be used once you tried to contact Deezer and they fail to answer or their answer is not satisfying enough to you.

 

I can not believe that I have been informed of this by HaveIbeenpwnd or Firefox monitor (which I thank for that)

Userlevel 7
Badge +7

Immediately after learning of the data breach in November 2022, we contacted the CNIL (Commission Nationale de l'Informatique et des Libertés), with whom we have been working ever since, particularly with regard to the communication we must make to users. In order not to wait for the outcome of this work, we published an article on our support site to inform the users concerned about the data leak. We are currently finalizing our user communication with the CNIL, which will be sent to those affected by the breach.
The data included in the sample are mainly email address, date of birth (usually in the form "01-01-XXXX" since we only ask for age), name (usually a pseudonym), gender, language used, country, general information regarding subscription, and communication preferences (opt-in/opt-out). The sample does not contain any sensitive data, passwords, payment data, service usage data (such as listening history), geolocation data, or data that would allow for the description of the user habits. Furthermore, it is important to note that this is old data, dating back more than three years.
As far as Deezer's systems are concerned, their security is not compromised and, of course, we will continue to enhance our capabilities to ensure their protection and the protection of our users' data, including vulnerability scans and penetration tests.

This is even more -stupid- (sorry, can not find a better word). By not communicating and re-assuring your users, your customers, you are building fear and anxiety and diminishing trust. You do not show you are in control.

Beside, I am not sure how much what you say should be taken for granted. I have, myself, worked with the CNIL as well, they do not recommend or tell you what to do (pro active). They evaluate what you have done and if it was enough (reactive).

 

I think you made, at least a big communication mistake.

 

Learning this from security monitoring site such as HaveIBeenPwnd makes you look like clueless and careless about your own users and data.

 

I stand to my initial statement. If, when, I receive an answer from the support about this and it is not satisfying, I will fill a complain with the CNIL and I would recommend the same to anyone who is not sure about the way you have handle this incident. If it can not change what happened and how you handled the incident anymore, it may prevent Deezer from doing the same type of mistake again.

The whole purpose of GDPR is to let user deal with their data and keep them in control. You patonize your customer and told them they do not need to know… which, by the way, is interetsing as your communication suggested to change your passwrod...don’t you think, then, this should have been sent to said users ??

 

Let’s be serious.

Userlevel 1

@Jaime. thank you for bringing what appears to be an “official” perspective to this discussion.

What your message describes is a compliance-focused security program, which is the bottom of the barrel. Working with compliance agencies to find out what, as you say above, they require that Deezer must do at some point in the increasingly distant future for something that happened in the distant past. A hallmark of this approach is for customers to see communications that originated in Legal or Communications, not Security. That communication, whenever it gets here, likely will check all the compliance boxes. And, like your message or the one already posted in Support, will leave your customers questioning at best, seething - or gone, like me! - at worst.

A better alternative at this point is to pose the “how should this best be handled” question to your Security team (you have one, right?), and, if they have been properly funded and trained, to follow their recommendation.

Userlevel 2
Badge

Yeah, I’ve just started receiving pharmacy spam from “Canada RX”. I know it is from this breach as the email is a unique (random) email address. How about not giving your user’s data to 3rd parties Deezer?

Userlevel 2
Badge

I just got an alert that Deezer had a data breach and my info was found on the dark web. 1/20/2023

Userlevel 4
Badge +3

Yea, Deezer botched the communication. They damaged their credibility with how they report to customers. So people are right to worry about “what about the next breach?”

But as a practical matter, I’m not so worried about the breach itself.

It happened in 2019, three or four years ago. The “horse was long out of the barn” when they discovered it in November 2022. See what I mean? Yea, they should have reported it within 72 hours. Absolutely they should have. But I don’t think it would have made any difference if they had, not with regard to the stolen data. Too late for that.  

(I even wonder if there are any provisions or practices for long ago breaches. It could make some sense, as in, don’t get everyone in a tizzy if nothing can be done. Besides, in my mind, isn’t it normal for people to update their password regularly? And if you don’t, now you have a reason to do so. 

We'll see what happens. 

Userlevel 1
Badge

I setup my deezer account with a unique email address which is only used for deezer.

 

Today I am getting spam from Brand Medicals-Express on that email address.

Has there been another data breach?

I will change my deezer registered email address and kill the existing as a precaution.

Userlevel 7
Badge +10

https://support.deezer.com/hc/en-gb/articles/7726141292317-Third-Party-Data-Breach

There has not been another breach since, no