- The primary cause behind the user credentials of over 300,000 Spotify users getting leaked was weak passwords and their reuse across different platforms.
- The cybersecurity firm behind the discovery, vpnMentor has not yet been able to ascertain how the information was obtained or who’s behind the attack.
- However, both vpnMentor and Spotify believe that the most likely reason is that these passwords were picked up from other applications and websites.
- Since being informed of the data breach, Spotify initiated a ‘rolling reset’ of passwords for the users who have been affected.
Spotify is one of the most popular music services around the world, but its popularity is probably what makes it a perfect target for hackers. A cybersecurity research team from vpnMentor recently discovered that over 300,000 Spotify accounts were the target of a credit stuffing operation.
| Incident summary: |
| Database | Elasticsearch database |
| Size of data | 72 GB |
| Number of records | 380 million |
| Suspected number of users | 300,000 to 350,000 |
| Date range | Unknown |
| Date discovered | July 3 |
| Date of contacting Spotify | July 9 |
| Date of response | July 9 |
| Date of action | July 10 - 21 |
| Type of data exposed | Email addresses, login credentials |
As of now, both the origin and owners of the database remain unknown. However, the researchers were able to validate the integrity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.
The fault did not lie with Spotify
Credit stuffing is when hackers take advantage of weak passwords and users may be repeating across several accounts. “The hackers were possibly using login credentials stolen from another platform, app, or website and using them to access Spotify accounts,” said vpnMentor’s report.
According to the company, the data breach is not because security was lax at their end, but because users were reusing passwords across different services.
“As the report states, this issue did not originate with Spotify and it accurately describes our outreach to affected users and our actions to protect their accounts. We take any and all fraudulent activity on our service extremely seriously and we are committed to the security of our users’ data,” Spotify’s spokesperson told Business Insider India in a statement.
However, the company does not have any region-specific or country-specific data to shed light on the geographical distribution of the breach.
How can Spotify users check if they were hacked?
If you were one of the individuals affected by the data breach, you have probably received an email from Spotify to reset your password by now.
The company initiated a ‘rolling reset’ of passwords once the issue came to their notice. This means that it sent out emails to users informing them that their account has been reset with a temporary alpha-numeric password, which they will now have to update when they log in next.
“We are aware of these types of tools that target vulnerable usernames and user passwords, and we strongly discourage users from using the same credentials across different services. That is the most effective way to protect account information from this kind of attack,” advised Spotify.
SEE ALSO:
LVB-DBS Bank India merger approved by Union Cabinet — ‘those who have made mistakes will be punished’
Bank employees to go on a nationwide strike on November 26 in solidarity with farmers’ protests
Twitter's coveted blue ticks are making a comeback next year along with new account types and labels
Next Story
Migration to other social media platforms shows no signs of slowing following Elon Musk's chaotic takeover at Twitter, report says
BHEL among 5 bidders for Rs 58,000 cr deal to manufacture, maintain 200 Vande Bharat trains
Max Financial Services: Company worth ₹24,000 crore running with only 12 employees
E-commerce platform Carousell lays off 110 employees to reduce costs
Oil prices rise after G7 nations cap the price of Russian crude at $60/barrel
Italy home to highest number of unofficial Chinese 'police stations' says a Spanish civil rights group
ChatGPT is a new AI chatbot that can find mistakes in your code or write a story for you
HealthifyMe sacks about 150 employees, says growth didn't keep pace with hiring
