Credentials of 300,000 to 350,000 Spotify users leaked in credit stuffing attackBI India
The primary cause behind the user credentials of over 300,000 Spotify users getting leaked was weak passwords and their reuse across different platforms.
The cybersecurity firm behind the discovery, vpnMentor has not yet been able to ascertain how the information was obtained or who’s behind the attack.
However, both vpnMentor and Spotify believe that the most likely reason is that these passwords were picked up from other applications and websites.
Since being informed of the data breach, Spotify initiated a ‘rolling reset’ of passwords for the users who have been affected.
Spotify is one of the most popular music services around the world, but its popularity is probably what makes it a perfect target for hackers. A cybersecurity research team from vpnMentor recently discovered that over 300,000 Spotify accounts were the target of a credit stuffing operation.
Incident summary:
Database
Elasticsearch database
Size of data
72 GB
Number of records
380 million
Suspected number of users
300,000 to 350,000
Date range
Unknown
Date discovered
July 3
Date of contacting Spotify
July 9
Date of response
July 9
Date of action
July 10 - 21
Type of data exposed
Email addresses, login credentials
As of now, both the origin and owners of the database remain unknown. However, the researchers were able to validate the integrity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.
The fault did not lie with Spotify Credit stuffing is when hackers take advantage of weak passwords and users may be repeating across several accounts. “The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts,” said vpnMentor’s report.
Advertisement
According to the company, the data breach is not because security was lax at their end, but because users were reusing passwords across different services.
“As the report states, this issue did not originate with Spotify and it accurately describes our outreach to affected users and our actions to protect their accounts. We take any and all fraudulent activity on our service extremely seriously and we are committed to the security of our users’ data,” Spotify’s spokesperson told Business Insider India in a statement.
However, the company does not have any region-specific or country-specific data to shed light on the geographical distribution of the breach.
Advertisement
How can Spotify users check if they were hacked? If you were one of the individuals affected by the data breach, you have probably received an email from Spotify to reset your password by now.
The company initiated a ‘rolling reset’ of passwords once the issue came to their notice. This means that it sent out emails to users informing them that their account has been reset with a temporary alpha-numeric password, which they will now have to update when they log in next.
“We are aware of these types of tools that target vulnerable usernames and user passwords, and we strongly discourage users from using the same credentials across different services. That is the most effective way to protect account information from this kind of attack,” advised Spotify.
Next