- The primary cause behind the user credentials of over 300,000 Spotify users getting leaked was weak passwords and their reuse across different platforms.
- The cybersecurity firm behind the discovery, vpnMentor has not yet been able to ascertain how the information was obtained or who’s behind the attack.
- However, both vpnMentor and Spotify believe that the most likely reason is that these passwords were picked up from other applications and websites.
- Since being informed of the data breach, Spotify initiated a ‘rolling reset’ of passwords for the users who have been affected.
Spotify is one of the most popular music services around the world, but its popularity is probably what makes it a perfect target for hackers. A cybersecurity research team from vpnMentor recently discovered that over 300,000 Spotify accounts were the target of a credit stuffing operation.
| Incident summary: |
| Database | Elasticsearch database |
| Size of data | 72 GB |
| Number of records | 380 million |
| Suspected number of users | 300,000 to 350,000 |
| Date range | Unknown |
| Date discovered | July 3 |
| Date of contacting Spotify | July 9 |
| Date of response | July 9 |
| Date of action | July 10 - 21 |
| Type of data exposed | Email addresses, login credentials |
As of now, both the origin and owners of the database remain unknown. However, the researchers were able to validate the integrity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.
The fault did not lie with Spotify
Credit stuffing is when hackers take advantage of weak passwords and users may be repeating across several accounts. “The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts,” said vpnMentor’s report.
According to the company, the data breach is not because security was lax at their end, but because users were reusing passwords across different services.
“As the report states, this issue did not originate with Spotify and it accurately describes our outreach to affected users and our actions to protect their accounts. We take any and all fraudulent activity on our service extremely seriously and we are committed to the security of our users’ data,” Spotify’s spokesperson told Business Insider India in a statement.
However, the company does not have any region-specific or country-specific data to shed light on the geographical distribution of the breach.
How can Spotify users check if they were hacked?
If you were one of the individuals affected by the data breach, you have probably received an email from Spotify to reset your password by now.
The company initiated a ‘rolling reset’ of passwords once the issue came to their notice. This means that it sent out emails to users informing them that their account has been reset with a temporary alpha-numeric password, which they will now have to update when they log in next.
“We are aware of these types of tools that target vulnerable usernames and user passwords, and we strongly discourage users from using the same credentials across different services. That is the most effective way to protect account information from this kind of attack,” advised Spotify.
SEE ALSO:
LVB-DBS Bank India merger approved by Union Cabinet — ‘those who have made mistakes will be punished’
Bank employees to go on a nationwide strike on November 26 in solidarity with farmers’ protests
Twitter's coveted blue ticks are making a comeback next year along with new account types and labels
Next Story
Sebi to boost disclosure norms; do away with permanent board seats for individuals
Here are the ten big income tax rule changes that will come into effect from April 1
Not just for OTT, people rely on digital to discover & engage with content across TV and movies: BCG-Meta Report
SPC Lifesciences files draft papers with SEBI for IPO
Sensex rallies 346 pts, Nifty near 17,100 on firm global markets
