Researchers have found an unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.
The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered by vpnMentor. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.
For context, credential stuffing is an automated account takeover attack during which cybercriminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access. Usually applying some form of multi-factor authentication mitigates the chances of accounts being compromised, but Spotify doesn’t support the option.
The team contacted the Swedish audio streaming giant on July 9th and received an almost immediate response. Within a period of eleven days between July 10th and 21st, Spotify addressed the issue and deployed a rolling reset of passwords for all users affected by the issue.
“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers explained.
The continuing success of credential stuffing attacks can, in large part, be attributed to users having poor password hygiene. People often commit many of the common cardinal sins of password creation and use, such as password recycling or even sharing their access credentials with others. To illustrate the questionable choices people make when it comes to their passwords, you need not look any further than the list of the most common passwords of 2020, which is topped by veritable gems like “123456” and “123456789”.
To protect the sensitive data stored in your accounts, you should start by opting for a strong and unique password, or even better passphrase. For convenience’s sake, you can also use a password manager that will do all the heavy lifting for you, including generating and storing all your tough-to-crack passcodes, so you’ll only have to remember one master password. For an extra layer of security, also activate multi-factor authentication where possible.