Up to 350,000 Spotify Accounts Hacked in Credential Stuffing Attack
Researchers stumbled upon an unsecured internet facing database containing over 380 million individual records, which also included login credentials that were used to break into between 300,000 and 350,000 Spotify accounts. These records contained information like people’s usernames and passwords, email addresses, and country.
The report from VPNMentor said the database was stored on an unsecured Elasticsearch server and the origin of the database and the owners remain unknown. The researchers were able to validate the data as Spotify confirmed that the information had been used maliciously to defraud the company and its users.
VPNMentor says it contacted Spotify about the exposed database on July 9th, with Spotify sending out a password reset email to users affected by the data breach. It is recommended that you change your Spotify password as soon as possible.
“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers stated.
“Credential stuffing is an automated account takeover attack during which cyber criminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access.”
Source: welivesecurity
