Up to 350,000 Spotify accounts hacked in credential stuffing attacks
This won't be music to your ears – researchers spot an unsecured
database replete with records used for an account hijacking spree
Amer Owaida
Researchers have found an
unsecured internet-facing database containing over 380 million individual
records, including login credentials that were leveraged for breaking into
300,000 to 350,000 Spotify accounts. The exposed records included a variety of
sensitive information such as people’s usernames and passwords, email
addresses, and countries of residence.
The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered by vpnMentor. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.
For context, credential stuffing is an automated account takeover attack during which cybercriminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access. Usually applying some form of multi-factor authentication mitigates the chances of accounts being compromised, but Spotify doesn’t support the option.
The team contacted the Swedish audio streaming giant on July 9th and received an almost immediate response. Within a period of eleven days between July 10th and 21st, Spotify addressed the issue and deployed a rolling reset of passwords for all users affected by the issue.
“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers explained.
The continuing success of
credential stuffing attacks can, in large part, be attributed to users having
poor password hygiene. People often commit many of the common cardinal sins of password
creation and use, such
as password recycling or even sharing their access credentials with
others.
To illustrate the
questionable choices people make when it comes to their passwords, you
need not look any further than the list of the most common passwords of 2020, which is topped by veritable gems like “123456”
and “123456789”.
To protect the sensitive
data stored in your accounts, you should start by opting for a strong and
unique password, or even better passphrase. For convenience’s sake, you can also use a password manager that will do all the heavy lifting for you,
including generating and storing all your tough-to-crack passcodes, so you’ll
only have to remember one master password. For an extra layer of security, also
activate multi-factor authentication where possible.