(ORDO NEWS) — Criminals have operated a database with over 300,000 Spotify access data unprotected on the Internet.
In an unprotected Elasticsearch database, a research team found the access data of over 300,000 Spotify users. The discoverers, Noam Rotem and Ran Locar from the VPN review site VPNmentor.com, suspect that the access data was obtained using credential stuffing attacks. Spotify has made those concerned aware of the incident and asked them to change their access data.
The database does not come from the music streaming service Spotify itself, but presumably from criminals who left the approximately 72 GB database with 380 million entries unprotected on the Internet, explains VPNmentor. In the database, the research team discovered the more than 300,000 verified Spotify credentials and the countries in which they were used. Spotify is actively used by around 300 million people.
VPNmentor suspects that the access data was obtained via so-called credential stuffing attacks. Here, access data that was obtained, for example, through a data leak or a hack, is tried out with various providers. Since internet users tend to use the same passwords, usually with the same email address, for different services, credential stuffing is still a very successful attack method.
Social engineering attacks are conceivable
Criminals could, for example, use the paid Spotify accounts with the access data. The data could also be used for social engineering . For example, those affected could be sent fake invoices from Spotify or they could be tricked into installing malware. The unprotected database could also have been discovered and misused by third parties, emphasizes VPNmentor. The access data could also be tried out with other services.
Data leak was reported to Spotify in July
The database was discovered on July 3, 2020 and reported to Spotify on July 9. VPNmentor has only now published the find. Affected people who have received a warning from Spotify should change their login details immediately. If you use the same password for other services, a new password should also be used there. Regardless of this, it is important to use an individual, secure password for each service. It is also advisable to use Spotify’s two-factor authentication.
Contact us: firstname.lastname@example.org