Millions of accounts for internet radio service 8tracks are being traded on the digital underground, judging by a set of stolen user details obtained by Motherboard.

8tracks is cross between a social network and an internet radio site, allowing users to stream custom playlists. The site offers both free and paid accounts which only for ad-free listening.

Motherboard obtained a dataset of around 6 million 8track usernames, email addresses, and hashed passwords. For-profit breach notification site LeakBase provided Motherboard with the data, and claims that the full dataset comprises of around 18 million accounts. The passwords appear to be hashed with the SHA1 algorithm, meaning hackers may be able to crack the hashes and obtain some of the original passwords.

Several users in the data confirmed they signed up to 8tracks, with some signups stretching back to 2008. Motherboard also independently confirmed that a selection of email addresses included in the data did correspond to accounts on the site by trying to create new accounts with them. In every case, this was not possible because the email address was already linked to an 8tracks account.

8tracks told Motherboard it was preparing to inform customers of the breach, and that it had identified and plugged the attack vector used by the hacker.

"We believe the vector for the attack was an employee's Github account, which was not secured using two-factor authentication," 8tracks wrote in a blog post. "If you signed up via Google or Facebook authentication, then your password is not affected by this leak," the post added, and said that the stolen data only included those who had signed up via email.

The stolen data did not include any credit card information or other payment data.

The lesson: Some of the users Motherboard spoke to couldn't remember which password they had used to sign up to the service. This means they did not know which other sites used the same password. Even for sites that you may only create a free account on, it is always worth generating a unique password with a password manager. That way, even if that site you used years ago is hacked, an attacker isn't going to be able to use your old password on any other services that use it.