Full Report
In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars.
Analysis Summary
# Incident Report: SongTrivia2 Data Breach
## Executive Summary
In April 2026, the music trivia platform SongTrivia2 experienced a significant data breach resulting in the exposure of approximately 291,000 user records. The compromised data, which included email addresses and bcrypt password hashes, was subsequently leaked on a public hacking forum. The incident highlights vulnerabilities in web platform data storage and the risks associated with third-party authentication integration.
## Incident Details
- **Discovery Date:** April 4, 2026 (Added to HIBP)
- **Incident Date:** April 2026
- **Affected Organization:** SongTrivia2
- **Sector:** Entertainment / Gaming
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Unknown (Published via public hacking forum)
- **Details:** The exact method of entry is not publicly disclosed, but the result was the exfiltration of the platform’s user database.
### Lateral Movement
- **Details:** Not disclosed; however, the attacker successfully reached the database containing both OAuth-linked records and localized account credentials.
### Data Exfiltration/Impact
- **Details:** 291,700 unique records were extracted from the site's production environment and moved to external attacker-controlled infrastructure for distribution.
### Detection & Response
- **How it was discovered:** Public disclosure on a hacking forum and subsequent identification by security researchers (DarkWebInformer/Have I Been Pwned).
- **Response actions taken:** Data was indexed by Have I Been Pwned to notify victims; platform-specific remediation (such as password resets) was recommended to the user base.
## Attack Methodology
- **Initial Access:** Likely web application vulnerability or misconfigured database (details not finalized).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Extraction of bcrypt password hashes and Google OAuth tokens.
- **Discovery:** Target-specific database enumeration.
- **Lateral Movement:** Not disclosed.
- **Collection:** Automated extraction of user tables containing PII and credentials.
- **Exfiltration:** Data uploaded to a public hacking forum.
- **Impact:** Mass data breach and public exposure of 291k user identities.
## Impact Assessment
- **Financial:** Potential loss of premium subscribers and costs associated with incident response/legal compliance.
- **Data Breach:** High. 291,700 records including email addresses, bcrypt hashes, names, usernames, avatars, and OAuth tokens.
- **Operational:** Disruption to user trust and potential need for significant backend security overhauls.
- **Reputational:** High. The breach was highly visible on social media (X/Twitter) and hacking forums.
## Indicators of Compromise
- **Network indicators:** N/A (Post-incident analysis)
- **File indicators:** Database export files surfacing on hacking forums.
- **Behavioral indicators:** Unauthorized access to administrative database interfaces or high-volume data egress logs.
## Response Actions
- **Containment:** Recommended password resets for all site users.
- **Eradication:** Invalidation of compromised Google OAuth tokens where applicable.
- **Recovery:** Notification of affected users via breach monitoring services.
## Lessons Learned
- **Key takeaways:** Use of bcrypt is a positive security measure, but it does not prevent the initial theft of the data. Use of OAuth does not exempt a platform from protecting the user metadata associated with those logins.
- **What could have been done better:** Earlier detection of the data egress could have prevented the full database from being leaked to public forums.
## Recommendations
- **Rotate Secrets:** Immediately rotate all internal API keys and OAuth client secrets.
- **Audit Access Control:** Review database access logs and implement the Principle of Least Privilege (PoLP) for database service accounts.
- **Enhanced Monitoring:** Implement Rate Limiting and Data Loss Prevention (DLP) tools to detect and block large database exports.
- **User Security:** Force a password reset for all users and encourage the adoption of Multi-Factor Authentication (MFA).