Another 100,000 Spotify account credentials become public

[German]Users of the Spotify service are likely to get another headache. A security researcher has found a database with over 100,000 access data for Spotify user accounts. These are likely to have been obtained via credential stuffing attack and allow unauthorized third parties to access these user accounts on Spotify.


November 2020 case

In the November 2020 blog post More than 300,000 Spotify accounts hacked?, I had already reported on a data leak with Spotify account credentials. Hackers had used a database of 380 million records of login credentials and personal information from various sources to crack Spotify accounts and were probably successful with more than 300,000 users. The whole thing works via "credential stuffing": hackers simply randomly try credentials from known data leaks on websites and, if successful, can access the accounts. Weak passwords or reuse of credentials on different user accounts encourage this kind of thing.

Security researchers at vpnMentor came across an unsecured Elasticsearch database on the Internet at the time that contained over 380 million records, including credentials and other user data validated against the Spotify service. The origin of the database and how the fraudsters targeted Spotify are both unknown. The hackers may have used credentials stolen from another platform, application or website and used them to access Spotify accounts. Details can be read in the blog post.

New Spotify account credentials case.

On February 4, 2020, security researcher Bob Diacheko announced in this tweet the discovery of another database containing over 100,000 Spotify account credentials.


Here, too, the data was captured via credential stuffing and then misused to access Spotify accounts. Spotity resets the passwords as soon as misuse becomes known. In addition, people try to have the database removed from the Internet via the providers – but this is no real help (there may be many copies). The site has also presented the case here.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *