Over 300K Spotify accounts hacked in credential stuffing attack

[steven36]

Hackers have been attempting to gain access to Spotify accounts using a database of 380 million records with login credentials and personal information collected from various sources.

 

 

 

For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries.

 

Spotify users stating their accounts were hacked

 

 

A new report detailing how a database containing over 380 million records, including login credentials, is actively used to hack into Spotify accounts may shed some light on these account breaches.

300 million records with user info for hacking Spotify accounts

A common attack used to hack into accounts is called a credential stuffing attack, which is when threat actors make use of large collections of username/password combinations that were leaked in previous security breaches to gain access to user accounts on other online platforms.

 

Today, VPNMentor released a report about a database exposed on the Internet that contained 300 million username and password combinations used in credential stuffing attacks against Spotify.

 

Each record in this database contains a login name (email address), a password, and whether the credentials could successfully login to a Spotify account, as shown below.

 

 

 

Record in exposed database

 

It is not known how the 300 million records were collected, but it is likely through data breaches or large "collections" of credentials that are commonly released by threat actors for free.

The researchers believe that the 300 million records listed in the database allowed the attackers to breach 300,000 to 350,000 Spotify accounts.

 

VPNMentor contacted Spotify on July 9th, 2020, about the exposed database and its threat to accounts and received a response on the same day.

 

"In response to our inquiry, Spotify initiated a ‘rolling reset’ of passwords for all users affected. As a result, the information on the database would be voided and become useless," the researchers stated.

 

For those users whose accounts were compromised, Spotify performed a password reset in July.

 

Spotify does not support multi-factor authentication, which would greatly increase the security of accounts, even though users have been requesting it for some time.

 

Source