Over 300K Spotify Accounts Hacked In Credential Stuffing Attack

Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.

For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries.

Spotify users saying their accounts were hacked
Spotify users stating their accounts were hacked

A new report detailing how a database containing over 380 million records, including login credentials, is actively used to hack into Spotify accounts may shed some light on these account breaches.

Also Read: What is Pentest Report? Here’s A Walk-through

300 million records with user info for hacking Spotify accounts

A common attack used to hack into accounts is called a credential stuffing attack, which is when threat actors make use of large collections of username/password combinations that were leaked in previous security breaches to gain access to user accounts on other online platforms.

Today, VPNMentor released a report about a database exposed on the Internet that contained 300 million username and password combinations used in credential stuffing attacks against Spotify.

Each record in this database contains a login name (email address), a password, and whether the credentials could successfully login to a Spotify account, as shown below.

Record in exposed database
Record in exposed database

It is not known how the 300 million records were collected, but it is likely through data breaches or large “collections” of credentials that are commonly released by threat actors for free.

The researchers believe that the 300 million records listed in the database allowed the attackers to breach 300,000 to 350,000 Spotify accounts.

VPNMentor contacted Spotify on July 9th, 2020, about the exposed database and its threat to accounts and received a response on the same day.

“In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless,” the researchers stated.

For those users whose accounts were compromised, Spotify performed a password reset in July.

Also Read: The PDPA Data Breach August 2020: A Recap of 8 Alarming Cases

Spotify does not support multi-factor authentication, which would greatly increase the security of accounts, even though users have been requesting it for some time.

Privacy Ninja provides GUARANTEED quality and results for the following services: 
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
P
DPA Compliance Audit
Dig
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit

Like & Subscribe:
Facebook
LinkedIn
Twitter
YouTube
Podcast


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *