Spotify Under Attack Again - 100,000 Customers Suffer

  • By Dawna M. Roberts
  • Published: Feb 22, 2021
  • Last Updated: Mar 18, 2022

 It wasn’t that long ago that Spotify denied a data breach while hundreds of customers complained about their accounts being hacked. Now Spotify has suffered a second credential stuffing attack affecting 100,000 customers.

What Happened?

Just three months ago (November 2020), Spotify suffered a major credential stuffing attack where customers experienced account takeovers with their music libraries being altered and login information changed.

According to ThreatPost, “Researcher Bob Diachenko  tweeted about the new Spotify attack  on Thursday: ‘I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.’”

Some users have noticed new playlists in their Spotify account, some of their music was deleted, or the account was taken over to use so the owner could no longer access it.

How Did Spotify Respond?

Immediately upon learning of the new credential stuffing attack, Spotify reset the passwords for all affected customers and notified them to change their login credentials.

Spotify posted an online notice of the attack with “We recently protected some of our users against [a credential-stuffing attack]. Once we became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid.”

Threatpost further explained that “The company also noted that the attacks were carried out using an ill-gotten set of data: ‘We worked to have the fraudulent database taken down by the ISP hosting it.’”

Apparently, the information used for the attack was stolen in a data breach similar to the issue in November. The breached data stems from a misconfigured Elasticsearch cloud database with more than 380 million user credentials from countries all over the world. Threatpost mentioned that a bad actor owns the database.

Threatpost also said that “Originally this data was exposed inside a misconfigured (thus publicly reachable) Elasticsearch cluster – most likely operated by the malicious actors themselves,” he said. “It contained entire logs of their operations, plus email/password pairs they used [for the attack].”

How Credential Stuffing Works

Credential stuffing is one popular technique used by cybercriminals to gain access and take over accounts. It works because many people reuse the same username(email) and password on multiple online accounts. Doing this presents a serious risk to the user.

Cybercriminals use software that automatically tries millions of stolen credentials on other accounts, and eventually, they get lucky and are able to log in. That is what happened to Spotify.

The problem with credential stuffing is that it allows hackers to take over the victim’s account completely. This may include stealing credit card or bank information, using the account for their own purposes, infecting apps and services with malware, taking over other accounts, and stealing additional information for identity theft.

Although the target was Spotify, hackers could essentially use information stored inside the program to access other more high-value targets such as your bank, credit card accounts, or other services. Once they obtain your birth date, email address, home address, and phone number, they have enough to wage further phishing attacks or perpetrate identity theft.

Unfortunately, credential stuffing attacks are widespread but avoidable. They can be the gateway used to destroy someone’s online life.

How to Protect Yourself Against Credential Stuffing

Credential stuffing can be avoided simply by not reusing your credentials on multiple accounts. Some other ways to protect your accounts are:

  • Use a good password generator to create long, strong passwords.
  • Sign up for two-factor authentication so no one can log into your accounts without your mobile device or biometrics.
  • Never share your passwords with anyone.
  • Keep a close eye on all online accounts looking for any suspicious changes or unauthorized access.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is Digital Citizenship? Etiquette & Examples

What is Digital Citizenship? Etiquette & Examples

When someone is born on US soil, they are a national citizen; with this distinction, they obtain a list of entitlements and benefits, as well as societal obligations and predetermined consequences for bad behavior.

What Does Incognito Mean, How Does It Work, and Is It Really Safe?

What Does Incognito Mean, How Does It Work, and Is It Really Safe?

How do you browse the Internet? Using a primary browser, you can turn on "incognito mode," which increases your privacy on singular devices but is also less concealing than other privacy tools like virtual private networks (VPNs).

AI Voice Cloning: The New Frontier for Cybercriminal Fraud and How to Protect Yourself

AI Voice Cloning: The New Frontier for Cybercriminal Fraud and How to Protect Yourself

Many members of the younger generations avoid answering phone calls. On the one hand, this avoidance may be personal, as voice calls can sometimes cause anxiety; however, there is more to these rejections than nervousness.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address