In a security update post on their website, Tunecore’s initial investigation shows that the data that may have been accessed included names, email addresses, mailing addresses if provided to us, TuneCore account numbers, and TuneCore passwords. Although TuneCore passwords were stored in a protected form, it is possible for a determined hacker, with sufficient time, using advanced computing tools, to recover those passwords.
For those customers who provided us with billing information, the data that may have been accessed includes: billing addresses; the last 4 digits of credit card numbers, as well as their expiration dates; bank names, the last 4 digits of bank account numbers, and the last 4 digits of bank routing numbers, and the name and address associated with the bank account on file. Full financial account information is never stored with TuneCore.
TuneCore is working closely with federal law enforcement investigators. At this time, no individual person or entity has been identified as the attacker. TuneCore says they never keeps full credit card or banking account information. Only the last four digits of financial account numbers for those customers who made transactions through TuneCore was stored on the compromised servers.
TuneCore has already invalidated all its users’ passwords, and are asking users to log into their account as soon as possible and select anothernew password. If you used the same password for TuneCore as for any other accounts or websites, you should also change the passwords for those accounts.
Although TuneCore did not store any complete financial information, it is always a good idea to review your payment and bank account statements carefully and call your bank or card issuer if you see any suspicious transactions. The major credit card companies have a policy providing that you will not be liable for unauthorized charges if you report them in a timely manner.