Up to 350,000 Spotify accounts hacked in credential stuffing attacks

Researchers have found an unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.

The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered by vpnMentor. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.

For context, credential stuffing is an automated account takeover attack during which cybercriminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access. Usually applying some form of multi-factor authentication mitigates the chances of accounts being compromised, but Spotify doesn’t support the option.

The team contacted the Swedish audio streaming giant on July 9th and received an almost immediate response. Within a period of eleven days between July 10th and 21st, Spotify addressed the issue and deployed a rolling reset of passwords for all users affected by the issue.

“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers explained.

The continuing success of credential stuffing attacks can, in large part, be attributed to users having poor password hygiene. People often commit many of the common cardinal sins of password creation and use, such as password recycling or even sharing their access credentials with others. To illustrate the questionable choices people make when it comes to their passwords,  you need not look any further than the list of the most common passwords of 2020, which is topped by veritable gems like “123456” and “123456789”.

To protect the sensitive data stored in your accounts, you should start by opting for a strong and unique password, or even better passphrase. For convenience’s sake, you can also use a password manager that will do all the heavy lifting for you, including generating and storing all your tough-to-crack passcodes, so you’ll only have to remember one master password. For an extra layer of security, also activate multi-factor authentication where possible.


You might be interested

Vasil Dzadik

10 Reasons why Businesses Should Now go for Digital Signage vs Traditional Signage

If you are a restaurant who is planning to offer free brownies on order above a specific amount, simply display the offer quickly on screens and prompt your customers to increase their order value. The best part about circulating prompt discounts with digital signage is that it helps you grab more orders and sales in no time.

Vasil Dzadik

Ransomware Attacks On The Healthcare Sector Are Skyrocketing

In the spring of last year a number of criminal hacker crews pledged to leave hospitals, nursing homes and other healthcare entities alone until the Covid-19 pandemic passed. At least one ransomware gang saw that as an opportunity.

Copyright © 2020 Intellope, s.r.o. | All rights reserved.


Most popular


You’ve read about the importance of being courageus, rebellious and imaginative.

Social club

There is no better advertisement campaign that is low cost.

Copyright © 2020 Intellope, s.r.o. | All rights reserved.