[German]Customers of the music streaming service Spotify may have a problem. Hackers have used a database of 380 million records with credentials and personal information from various sources to crack Spotify accounts and have been successful with over 300,000 users.
The hacked Spotify accounts problem
For years there have been users whose Spotify accounts have been hacked after they changed passwords. Suddenly new playlists appeared in their profiles or strangers from other countries were added to their family accounts. Here are some tweets of affected people that I once pulled out.
This is probably all due to "Credential Stuffing": Hackers simply try randomly to obtain access data from known data leaks on websites and, if successful, can access the accounts. Weak passwords or the reuse of access data for different user accounts encourage this.
Elasticsearch database with login data
The vpnMentor team e-mailed me yesterday at noon information about a new case focusing on Spotify accounts. The security researchers of vpnMentor came across an unsecured Elasticsearch database on the Internet that contains over 380 million records, including credentials and other user data validated against the Spotify service. The origin of the database and how the fraudsters targeted Spotify are both unknown. The hackers may have used credentials stolen from another platform, application, or website and used them to access Spotify accounts.
Spotify confirms the fraud attempt
The security specialists of vpnMentor then contacted the Swedish music service Spotify and handed over the information. The provider worked together with the security researchers. This made it possible to verify that the database belonged to a group or individual who used it to defraud Spotify and its users. The cooperation between vpnMentor and Spotify helped isolate the problem. By now, it is probably ensured that Spotify customers are protected against attacks – write the people from vpnMentor.
Security researchers estimate that 300,000 to 350,000 Spotify accounts were hacked in this way. Those who have access to the accounts can listen to music on Spotify at the expense of the account holder. Of course, the 350,000 hacked accounts are nothing compared to the more than 290 million active users per month for the year 2020. Here is the timeline
Date discovered: July 3, 2020 (verified on July 9)
Date of contact with Spotify: July 9, 2020
Date of reply: July 9, 2020
Date of Spotify action: Between July 10 and July 21, 2020
Further details can be found in this blog post if necessary.
Cookies helps to fund this blog: Cookie settings