If you make music and distribute it via Tunecore, you may well have received a newsletter over the last few days warning of a security breach. Here’s the newsletter email in question:
Salient information below, with certain passages bolded by yours truly:
We recently discovered suspicious activity on TuneCore’s servers in November, and that on November 17th an individual illegally collected information from our servers. We are actively working with law enforcement to investigate this unlawful act, and we have retained a leading cybersecurity firm to help prevent this from happening again.
It’s possible that the attacker may have had access to some of our customer data. The data on the compromised servers that we stored from customers like you included customers’ names, addresses, email addresses, TuneCore account numbers, and protected TuneCore passwords. Although TuneCore passwords were stored in a protected form, it is possible for a determined hacker with sufficient time, using advanced computing tools, to recover those passwords. Therefore, in an abundance of caution, we have invalidated your current TuneCore password, and are requesting that you log in to your TuneCore account as soon as possible to set a new password following the steps outlined below. You should also change your password on any other accounts or websites that share your previous TuneCore password.
According to comments in this Billboard article, anything related to payment should be safe as the third party service used for this by Tunecore wasn’t affected. However, anything covered up above is potentially fair game so you should do what they suggest and alter passwords on any other sites where you reuse the same password. You may also wish to sign up to the Haveibeenpwned service, and keep an eye out for any dumps involving your data.
Something to note about the Tunecore email – the title was simply “Important”, which means you could have missed it – and (in the above example, at least) it ended up in a spam folder. As a result, you might want to have a rummage around your mailbox and ensure you’re not missing anything important.
Tunecore has an FAQ page with some additional information about the breach, so if you think you may be affected we urge you to go and check it out. You should also keep in mind that anybody caught up in the breach could potentially be singled out by phishers, so be on your guard against email shenanigans for the foreseeable future.