Weak passwords leave 300,000 Spotify accounts vulnerable to hackers

Weak passwords leave 300,000 Spotify accounts vulnerable to hackers
Credentials of 300,000 to 350,000 Spotify users leaked in credit stuffing attackBI India
  • The primary cause behind the user credentials of over 300,000 Spotify users getting leaked was weak passwords and their reuse across different platforms.
  • The cybersecurity firm behind the discovery, vpnMentor has not yet been able to ascertain how the information was obtained or who’s behind the attack.
  • However, both vpnMentor and Spotify believe that the most likely reason is that these passwords were picked up from other applications and websites.
  • Since being informed of the data breach, Spotify initiated a ‘rolling reset’ of passwords for the users who have been affected.
Spotify is one of the most popular music services around the world, but its popularity is probably what makes it a perfect target for hackers. A cybersecurity research team from vpnMentor recently discovered that over 300,000 Spotify accounts were the target of a credit stuffing operation.

Incident summary:
DatabaseElasticsearch database
Size of data72 GB
Number of records380 million
Suspected number of users300,000 to 350,000
Date rangeUnknown
Date discoveredJuly 3
Date of contacting SpotifyJuly 9
Date of responseJuly 9
Date of actionJuly 10 - 21
Type of data exposedEmail addresses, login credentials

As of now, both the origin and owners of the database remain unknown. However, the researchers were able to validate the integrity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.

The fault did not lie with Spotify
Credit stuffing is when hackers take advantage of weak passwords and users may be repeating across several accounts. “The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts,” said vpnMentor’s report.
Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

According to the company, the data breach is not because security was lax at their end, but because users were reusing passwords across different services.

“As the report states, this issue did not originate with Spotify and it accurately describes our outreach to affected users and our actions to protect their accounts. We take any and all fraudulent activity on our service extremely seriously and we are committed to the security of our users’ data,” Spotify’s spokesperson told Business Insider India in a statement.

However, the company does not have any region-specific or country-specific data to shed light on the geographical distribution of the breach.

How can Spotify users check if they were hacked?
If you were one of the individuals affected by the data breach, you have probably received an email from Spotify to reset your password by now.

The company initiated a ‘rolling reset’ of passwords once the issue came to their notice. This means that it sent out emails to users informing them that their account has been reset with a temporary alpha-numeric password, which they will now have to update when they log in next.

“We are aware of these types of tools that target vulnerable usernames and user passwords, and we strongly discourage users from using the same credentials across different services. That is the most effective way to protect account information from this kind of attack,” advised Spotify.

LVB-DBS Bank India merger approved by Union Cabinet — ‘those who have made mistakes will be punished’

Bank employees to go on a nationwide strike on November 26 in solidarity with farmers’ protests

Twitter's coveted blue ticks are making a comeback next year along with new account types and labels