vpnMentor security researchers found a 72-gigabyte unencrypted database containing data records of over 300K Spotify users who were targeted in credential stuffing attacks.
In a digital-only world, there has been an explosion of credential theft. Between December 2017 and November 2019, content delivery network services provider Akamai observedOpens a new window an astounding 85 billion credential stuffing attacks against its customer base. Worryingly, organizations continue to risk user data by failing to enforce security safeguards to mitigate the risk of unauthorized access to their systems.
Recently, vpnMentor’sOpens a new window research team found an unsecured Elasticsearch database containing over 380 million records, including login credentials and other user data being validated against the Spotify service. This database is not maintained by Spotify and was set up by hackers looking to defraud Spotify users via brute-force credential stuffing attacks.
The security researchers also found 72-gigabyte of information related to Spotify users in the unsecured database. The database includes information such as email addresses, login credentials (usernames and passwords) of 300,000 to 350,000 users whose credentials were either obtained â€œillegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.â€
Earlier on July 3, Spotify users reported experiencing erratic functioning â€” preferences were changed, and the app recommended unrelated playlists to the users. Security researchers say fraudsters targeting Spotify users could have possibly used the same login credentials to hack into Spotify accounts that reused old passwords.
I got an email that someone was trying to hack into my Spotify account. I know my playlists are ðŸ”¥ but like who tries to hack Spotify? ðŸ¤”ðŸ˜‚
â€” J (@talljames07) June 16, 2020Opens a new window
Snapshot of Exposed Credentials
The unencrypted database was discovered as part of a â€˜huge web mapping project’ â€” wherein researchers examine and test IP blocks for system weaknesses through port scanning.
Javvad MalikOpens a new window , Security Awareness Advocate at KnowBe4, told SiliconANGLEOpens a new window , â€œCredentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It’s why it’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use multifactor authentication. That way, even if an account is compromised, it won’t be possible for attackers to use those credentials to breach other accounts.â€
Hackers can use the exposed data to target users’ social media accounts, emails, etc., warns vpnMentor. Some of the concerns include account takeover attacks, account abuse, and identity theft, wherein hackers can create â€˜complex profiles of users and target them for financial fraud.’
Stockholm-based music streaming giant, which recently hit 320 millionOpens a new window monthly active users, initiated a rolling password reset for all affected users, rendering the database records useless for future attacks.
@SpotifyOpens a new window I just got a email that came from your company to reset my password because of suspicious activity. Did this really come from you? I had my acct hack earlier in the year I just want to make sure the email came directly from Spotify.
â€” Trish Salcedo (@TrishSalcedo1) July 21, 2020Opens a new window
However, this does not shield the same users on other websites. Just like users were targeted through credential stuffing on Spotify, the data can be used to target the music streamers on other platforms as well. Spotify users prompted to reset their passwords between July 10 to July 21 should, as a precautionary measure, update their passwords on other sites as well.