Today I was alerted by two different identity monitoring services that some of my personal information had been found on the Dark Web. One of the services allowed me to review the exposed data, which included my email address and, surprisingly, the leaked password as well.
With this information I went to my password manager, to try and figure out which website was the one on which I was using that particular variation of my “typical” password (which I routinely change by adding special characters and numbers in different positions… I’m sure I’m not alone in that less-than-ideal practice ).
To my surprise, the only website that uses that password (out of the hundreds in my password manager) was Qobuz. Nothing on their website speaks of a security incident, so I’m not positive that they were hacked. Who knows. Maybe they were and aren’t even aware.
I still thought it was worth it to alert this community. If you received a similar alert lately, or maybe even if you haven’t, you may want to change your password at Qobuz and also at any other sites where you may have used the same id/password combo.
As mentioned, there a plenty of platforms that monitor for data breaches. You probably already have one if you have an Apple or Google phone or computer. Nord VPN also provides this service as part of its package. I’ve checked and I have no reports of a data breach from Qobuz on any of them.
I have identified that my email address (one used uniquely for Qobuz) was most likely stolen from Qobuz and acquired by another company.
Telling this to Qobuz is a joke. I emailed the support address listed on their website’s privacy and data terms – a day later it bounced back with this spectacularly incompetent failure message:
554 5.4.7 [internal] message timeout (exceeded max time, last transfail: 451 Temporarily unable to find 00D58000000JmCx at EU56 originalInstance eu16)
The website then tells me to use the contact form available from the corner of the app. But the app has forcibly logged me out and gives an unexplained error message when I try to log in again.
I got in to the app on a different machine. There is no contact form, just a chatbot. Entertaining promised response time from a chatbot:
Asking the chatbot for contact details gives this:
I apologize, but we don’t provide a direct email address for customer service. However, we do have a dedicated contact form for you to reach our team. You can find this by visiting our website and clicking on the “Help” or “Contact” link, usually at the bottom of the page. This will take you to our customer service contact options.
Well that’s all very well, but the only thing the Help link does is send us back to the chatbot; and there is no Contact link.
When I say I want to report a cybersecurity issue the chatbot then says, believe it or not, that I should send a LETTER by registered mail to their office in France. No thanks.
It is seriously worrying that a company has no way to provide the data they need to diagnose a cyber issue.
They are likely to be in breach of GDPR, I believe, by not notifying us (other than the generic message on the website which I do not think is sufficient).
I do for some sites, typically the ones I access on my desktop computer where I have the password manager. For sites or apps that I use on my phone, I prefer passwords that are more easily typed/remembered. Probably less than ideal…
@Suedkiez mentioned a few. The ones that I use are OnAlert (portal.onalertid.com) and Microsoft Defender. When they send an email alert, I log into their webpage and check the alerts on the sites.
I believe that there has been a security breach at Qobuz. Let me explain…
I have been having a lot of issues with Qobuz lately. I believe that they have an active security breach. If you comb through the forums here, there are people talking about random Tracks, Albums and Artists showing up in their favorites. I’m talking about music that you KNOW you don’t like or listen to.
Personally, I have deleted about 40k tracks and about 800 artists that I don’t listen to that were listed in my favorites in Qobuz. Of course, this muddies up my Roon statistics and favorites there too.
Long story short, I use 1Password for about 12 years and generate random passwords for EACH of my websites. For Qobuz I had a 15 digit pass that included caps and lower-case as well as numbers and special characters. So my side of the firewall hasn’t been breached. Yes, I changed my password to 22 characters and have spent 8 hours or so cleaning up my account. It still hasn’t stopped but has slowed down.
Qobuz has been slow to respond (probably because they had a lot of fires to put out), but I finally have them working with me. They are aware of the issues but aren’t admitting anything to me.
If it makes you feel any better, my information (as well as my wife) has been on the black market for about 5 years now. It’s not because I have lazy passwords, it is because many companies have been hacked over the years, so a lot of us are already there in the black market.
All you can really do is do as some have suggested here already…change your password, use a password manager with Radom/complex passwords, never click a link in your emails and lock your credit with the 3 agencies (I’m in the USA).
FWIW I use iOS Passwords app to manage my passwords.
All my accounts use the feature to hide my email and iOS Passwords generates a random email. A fairly robust password strategy.
The only account I’ve had hacked in the last 10 years is my Microsoft Hotmail/Outlook. Since then I have requested them to close that account and delete all data. Guess what, they haven’t . I’m writing to Bill now.
Unless it’s happened in the past pre-GDPR, or in the last 72 hours and is yet to be reported.
I would be amazed if a French, data-centric company like Qobuz weren’t fully aware of thier requirements under GDPR and the penalties they’d face for not disclosing a breach - €20 million or 4% of a company’s annual global turnover, whichever is greater.
You wouldn’t get as far as signing an agreement with a major record label without being well aware of this.
Not saying their codebase couldn’t have had bug in the past, where a ‘like’ was assigned to the wrong user ID, although I have never experienced that myself. This wouldn’t class as a breach of personally identifiable information.
But a data-centric European company, dealing with major record labels and a large subscriber base, not disclosing a major breach of user details - that is known about at a senior or company wide levels - extremely unlikely I’d say, too much on the line.
I own a domain. Whenever I sign up to a service, I basically use another mail adress which all gets sent to my inbox (catchall). So the email I signed up with was qobuz@[mydomain].TLD
Guess what I found in my Spam folder just now? An email received on 27.04 from quotes@business1.theinsurancequoter.com, telling me to “sign up through Navan and get $500 back for continuing your booking through Navan”. And it of course got sent to my quboz email.
Not sure what could be behind this except a data leak. Either they’re trying to hide the leak, which would be incredibly stupid, or they don’t know about it yet…
That’s a brilliant idea. I own a couple of domains too, but it never occurred to me to generate unique email addresses for different purposes.
Looks like several of you are agreeing that it’s likely that Qobuz had a data leak and haven’t acknowledged it. A bit disappointing for a company that otherwise provides a good service and integrates really well with Roon…
).
. I’m writing to Bill now.