Spotify Account Takeovers
Users of the music streaming service were targeted by attackers using credential-stuffing approaches.
Subscribers of Spotify streaming music service may have experienced some disruption, thanks to a likely credential-stuffing operation.
Credential stuffing takes advantage of people who reuse the same passwords across multiple online accounts. Attackers will use IDs and passwords stolen from another source, such as a breach of another company or website, that they then try to use to gain unauthorized access to other accounts, trying the stolen logins against various accounts using automated scripts. Cybercriminals have successfully leveraged the approach to steal data from various popular companies, including most recently, the North Face.
vpnMentor’s research team spotted an open Elasticsearch database containing more than 380 million individual records, including login credentials and other user data, actively being validated against Spotify accounts. The database in question contained over 72 GB of data, including account usernames and passwords verified on Spotify; email addresses; and countries of residence.
“The exposed database belonged to a third party that was using it to store Spotify login credentials,” the firm said. “These credentials were most likely obtained illegally or potentially leaked from other sources.”
It added, “Working with Spotify, we confirmed that the database belonged to a group or individual using it to defraud Spotify and its users.”
In response, Spotify initiated a rolling reset of passwords, making the information in the database relatively useless. The attacks ultimately affected between 300,000 and 350,000 music-streamers, vpnMentor said – a small fraction of the company’s user base of 299 million active monthly users.
“The origins of the database and how the fraudsters were targeting Spotify are both unknown,” according to the company, in a Monday posting. “The hackers were possibly using login credentials stolen from another platform, app or website and using them to access Spotify accounts.”
The exposed database could also be used for more than credential-stuffing attacks on Spotify Account Takeovers, according to vpnMentor.
“[This could lead to] many criminal schemes, not just by the fraudsters who built it, but also by any malicious hackers who found the database, as we did,” according to the posting. “Any of these parties could use the PII data exposed to identify Spotify users through their social media accounts, and more. Fraudsters could use the exposed emails and names from the leak to identify users across other platforms and social media accounts. With this information, they could build complex profiles of users worldwide and target them for numerous forms of financial fraud and identity theft.”
Ameet Naik, security evangelist at PerimeterX, said via email that hackers run credential-stuffing attacks to check the validity of these credentials against multiple services.
“These automated attacks, also known as account takeover (ATO), are growing in size and scope, up 72 percent over the prior year,” he said via email. “Businesses need to protect their login pages from ATO attacks using bot management solutions. Users must use strong, unique passwords on each service and use multi-factor authentication where possible.”
Anyone who has reused a Spotify password on any other accounts should also change it immediately, researchers said.
“This exposure goes to illustrate that criminals don’t need sophisticated technical hacking abilities to compromise accounts, rather, they can take advantage of lax security practices on behalf of users,” said Javvad Malik, security awareness advocate at KnowBe4. “Credentials are a particular area in which users are left exposed because they either choose weak passwords, or reuse them across different sites. It’s why it’s important that users understand the importance of choosing unique and strong passwords across their accounts and where available enable and use multifactor authentication (MFA). That way, even if an account is compromised, it won’t be possible for attackers to use those credentials to breach other accounts.