Spotify Under Attack Again - 100,000 Customers Suffer
Table of Contents
- By Dawna M. Roberts
- Feb 22, 2021
It wasn’t that long ago that Spotify denied a data breach while hundreds of customers complained about their accounts being hacked. Now Spotify has suffered a second credential stuffing attack affecting 100,000 customers.
Just three months ago (November 2020), Spotify suffered a major credential stuffing attack where customers experienced account takeovers with their music libraries being altered and login information changed.
According to ThreatPost, “Researcher Bob Diachenko tweeted about the new Spotify attack on Thursday: ‘I have uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.’”
Some users have noticed new playlists in their Spotify account, some of their music was deleted, or the account was taken over to use so the owner could no longer access it.
How Did Spotify Respond?
Immediately upon learning of the new credential stuffing attack, Spotify reset the passwords for all affected customers and notified them to change their login credentials.
Spotify posted an online notice of the attack with “We recently protected some of our users against [a credential-stuffing attack]. Once we became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid.”
Threatpost further explained that “The company also noted that the attacks were carried out using an ill-gotten set of data: ‘We worked to have the fraudulent database taken down by the ISP hosting it.’”
Apparently, the information used for the attack was stolen in a data breach similar to the issue in November. The breached data stems from a misconfigured Elasticsearch cloud database with more than 380 million user credentials from countries all over the world. Threatpost mentioned that a bad actor owns the database.
Threatpost also said that “Originally this data was exposed inside a misconfigured (thus publicly reachable) Elasticsearch cluster – most likely operated by the malicious actors themselves,” he said. “It contained entire logs of their operations, plus email/password pairs they used [for the attack].”
How Credential Stuffing Works
Credential stuffing is one popular technique used by cybercriminals to gain access and take over accounts. It works because many people reuse the same username(email) and password on multiple online accounts. Doing this presents a serious risk to the user.
Cybercriminals use software that automatically tries millions of stolen credentials on other accounts, and eventually, they get lucky and are able to log in. That is what happened to Spotify.
The problem with credential stuffing is that it allows hackers to take over the victim’s account completely. This may include stealing credit card or bank information, using the account for their own purposes, infecting apps and services with malware, taking over other accounts, and stealing additional information for identity theft.
Although the target was Spotify, hackers could essentially use information stored inside the program to access other more high-value targets such as your bank, credit card accounts, or other services. Once they obtain your birth date, email address, home address, and phone number, they have enough to wage further phishing attacks or perpetrate identity theft.
Unfortunately, credential stuffing attacks are widespread but avoidable. They can be the gateway used to destroy someone’s online life.
How to Protect Yourself Against Credential Stuffing
Credential stuffing can be avoided simply by not reusing your credentials on multiple accounts. Some other ways to protect your accounts are:
- Use a good password generator to create long, strong passwords.
- Sign up for two-factor authentication so no one can log into your accounts without your mobile device or biometrics.
- Never share your passwords with anyone.
- Keep a close eye on all online accounts looking for any suspicious changes or unauthorized access.