Some 350,000 Spotify users were reportedly had their music streaming accounts compromised as a result of a third-party data leak. Subjected to a credential stuffing attack, the platform has been forced to act quickly and reset user passwords.
According to Threat Post, a credential stuffing attack is where hackers take advantage of people who use the same password across different online accounts. Malicious hackers who have obtained such passwords and account details from another source will use these details to hack or enter into another website.
Should accounts be caught using the same login credentials across varying sites, apps, or platforms, malicious attackers can easily gain access to users' accounts in question.
Noam Rotem and Ran Locar from vpnMentor first found about the incident after coming across an Elasticsearch database containing more than 380 million records. In total, the database contained over 72 GB worth of data, said Threat Post. Included within this third-party database are details from Spotify.
The security researchers found the database on July 3, 2020. After conducting another review, the team reached out to the music streaming platform again on July 9, 2020. From July 10 to July 21 of the same year, Spotify had reportedly taken action by resetting the passwords of those affected by the data leak.
Among the personal information compromised in the third-party data leak are people’s account usernames and passwords both verified on the platform, their respective email addresses, and countries of residence, shared vpnMentor.
All of the information found on the said database was not encrypted, making these vulnerable for use and abuse, as well as more similar attacks, said ZD Net.
According to researchers Rotem and Locar, “These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.”
“Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users,” continued vpnMentor.
While the affected number ranging from 300,000 to 350,000 was relatively smaller, compared to the 299 million active monthly users of the music streaming service, this third-party data leak still opens up an avenue for potential further attacks, said the researchers.
Among the said activities that could bring harm to Spotify users whose details were made vulnerable were being exposed and identified on social media accounts and make profiles from the said information. Threat Post also reports that individuals could be targets for identity theft and financial fraud.
Following the incident, Spotify users who have reused passwords across varying social media platforms are urged to change their passwords immediately.