Fraudsters compromised approximately 350,000 Spotify accounts simply by recycling previously stolen login credentials. A simple technique that doesn’t require a lot of technical skills. If not skills, common sense was something the hackers truly lacked, as they failed to secure their own database with… a password.
380 Million Records Exposed
Security researchers Noam Rotem and Ran Locar came across the operation back in July, while scanning the net for weaknesses and exposures. That’s when they discovered a 72GB Elasticsearch database containing over 380 million records. The information included usernames, passwords, email addresses and other user data.
The origin of the data is unknown. It is likely that the hackers obtained the information illegally, from a previous data breach or password dump site. Next, they simply tried a technique called credential stuffing. This is when hackers use a large number of breached username and password pairs from one service to attack another. This tactic unfortunately still works because people often re-use their username and password across different platforms.
When hackers do find a match (often 0.1 to 0.2% of the total login attempts), they can use the account for their own purposes. Sometimes they also manage to obtain other personally identifiable information or even credit card details. Going forward, this information could then be used to send spam, launch phishing campaigns, steal peoples’ identities, etc. Stolen Spotify accounts can also be “rented out” to other users at a discount.
Basic Security Blunder
Luckily, the operation was thwarted because the fraudsters made a basic security blunder: they failed to secure their cloud database with a password. Moreover, the data was not encrypted.
According Rotem and Locar, the geographical scope and date range of the exposure remain unknown. Consequently, other hackers could have also discovered the exposed data and possibly copied the records to try them out on other services at a later stage.
In total, around 350,000 Spotify accounts were compromised. This is but a small fraction of the company’s user base of approximately 300 million music-streamers. No financial data is known to have been leaked.
Spotify Took Immediate Action
Noam Rotem and Ran Locar discovered the leak on July 3rd and contacted Spotify on July 9th. Spotify took immediate action. Between July 10th and July 21st they issued a rolling reset of the passwords involved and contacted all affected users to change their password.
The information the hackers leaked should now be useless, at least on Spotify. Nonetheless, it is another stark reminder to not recycle login credentials across different platforms, to immediately change your passwords if that has been the case, and to turn on two-factor authentication wherever and whenever possible.
As predicted, account take-overs are on the increase and are expected to rise even further, if users don’t start using basic security measures. There’s a simple 8-step guide people can follow to better protect themselves when online. Most of these tips and tricks can be applied to your computer, tablet, and smartphone.