More than 300K Spotify accounts compromised by credential stuffing attack

Hackers used 300 million records with username/password combinations for hacking into other Spotify accounts

More than 300K Spotify accounts breached by using previously leaked username/password combinations.

VPNMentor released a report^[1] about an open Elasticsearch database containing more than 380 million records, including email addresses, username/password combinations, and other user data, that were actively exploited to break into Spotify accounts. The database contained over 72GB of sensitive information. This common attack method used to hack into accounts with a large collection of login credentials is called credential stuffing.^[2]

Spotify^[3] is a well-known provider of audio streaming and media service. This platform offers millions of songs and podcasts. Spotify is available in most of Europe, America, and Oceania, and parts of Asia and Africa. It works on most devices, including Android and iOS smartphones, macOS, Windows, and Linux computers, etc. Spotify has over 299 million active monthly users.

VPNMentor researchers think that an open database with millions of records allowed hackers to successfully breach about 300,000-350,000 Spotify accounts. Cybersecurity experts contacted Spotify about this problem on July 9th and the company performed a password reset for compromised accounts in the same month.

It is still unclear how the sensitive data were obtained but it could be used in different cybercriminal schemes

According to cybersecurity specialists, it is still unclear how more than 300 million records with sensitive information were collected. It is likely that login credentials were gathered through data breaches or large collections of credentials that are commonly released by cybercriminals for free.

It is important to note that such an unsecured database could be exploited in many cybercriminal schemes. The information can be used not only by the hackers who built the exposed database but also by other cybercriminals who successfully found the database.

The unsecured server provided access to information such as email addresses, countries of residence, account usernames, passwords verified on Spotify, and IP addresses. Potentially, hackers could use this information for different reasons:

• hackers could use the exposed names and emails to identify users on social media accounts and other platforms and then target users for any form of financial fraud and/or identity theft,
• by using contact information cybercriminals could directly target exposed users with phishing emails,
• hackers could use stolen information to access the user's account and take advantage of digital services that were already paid for by the original user,
• external account takeover is possible too because many users are probably reusing the same login credentials for other apps, platforms, etc.

Additional security measures are not available

Multi-factor authentication^[4] could greatly increase the security of Spotify accounts. Users have been requesting to implement this method for some time.^[5] However, Spotify still does not support this method.

Of course, this does not mean that Spotify ignores security issues. After VPNMentor cybersecurity experts contacted Spotify to inform the company about the exposed database and its threat to Spotify accounts, they received the answer on the same day. Researchers said:

In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless.

Also, even if the user followed the instructions provided by Spotify and successfully changed login information, he/she should immediately change the password on any other accounts if the user reused the same old Spotify login credentials. It is important to choose a difficult password. A password generator that creates strong, unique passwords can come in handy for this task.