First launched in 2005, DatPiff has over 15m users though the service also allows unregistered users to download or upload samples for free.
While it's still unclear as to exactly when DatPiff suffered a data breach, the site's database was first sold privately and then publicly on hacking forums beginning in July of 2020 according to a new report from BleepingComputer.
In total, the stolen DatPiff database contains 7,476,940 member records including the email addresses, passwords, usernames and security questions of its users.
Beginning in November, another cybercriminal began selling the DatPiff database on the same hacking forum. This time though, the records it contained were dehashed to include both users' plain-text passwords and email addresses. However, someone else took things a step further by releasing the database for free allowing anyone to download and use the information it contains for a variety of malicious activities.
The reason the passwords in the database were able to be cracked is because DatPiff hashed them using the older and now obsolete MD5 algorithm which was first developed in 1992. MD5 passwords can be dehashed by comparing hashes to known MD5 worldlists or by using cracking tools in an attempt to brute force the passwords.
In December of last year, BleepingComputer was informed that an attacker was able to breach DatPiff's website by using a vulnerability scanner that allowed them to access a server with an old database backup.
Although DatPiff has yet to release a statement or notify its users by email regarding the incident at the time of writing, anyone with an account on the site should change their password immediately and consider using a password generator to create strong passwords as well as a password manager to store them securely.