Users who signed up through Facebook or Gmail authentication or safe and not affected by this leak and the users who signed up directly with 8tracks are affected by this leak.
They don’t store sensitive client information, credit card numbers, phone numbers, or street addresses, so stolen data doesn’t have any credit card information. 8tracks use to store credentials encrypted, which is good. As the credentials are encrypted it can be decrypted only through brute force.
Brute force attack on the encrypted passwords is time-consuming and it will take lot of time even to decrypt a single password.
8tracks says "Passwords on 8tracks are hashed and salted, meaning that even we can’t tell you what your password is by looking at the database. Although the decryption of one particular user’s password through brute-force techniques is unlikely, we recommend that users change their password on 8tracks and any sites on which they may have used the same password to ensure their personal security."
8tracks believe the attack was through their employee’s Github account, which doesn’t have two-factor Authentication. And they believe Hackers have no chance to get into the database of the live server, but they can reach the Backup server which has database tables and User’s data.
Now after the attack, they enforce 2-step authentication on Github, to keep code and validation keys isolated, and to enhance our password encryption.
Check with haveibeenpwned and change your passwords for 8tracks account and other online portals immediately.