Data Stuffing Attack Nabbed Around 300,000 Spotify Accounts

Illustration for article titled Data Stuffing Attack Nabbed Around 300,000 Spotify Accounts
Photo: Lionel Bonaventure (Getty Images)

An ill-gotten database of around 380,000 login credentials is a perfect reminder for the rest of us not to recycle our passwords.

Advertisement

According to vpnMentor, the team that found the database, this wasn’t the result of a breach on Spotify’s part at all. In fact, the origins of the user data and how it was obtained remain unknown. But wherever it came from, the blog explains, these login details were subjected to what’s known as “credential stuffing”: a type of attack where a huge volume of emails and passwords are fed into various (usually popular) websites and apps en masse. If any accounts are caught using the same login credentials between whatever site they originated from and the one being stuffed, the hacker(s) can get easy access to the service in question—in this case, Spotify.

Anywhere from 300,000 to 350,000 Spotify accounts ended up compromised by this latest stuffing assault, with account usernames, passwords, and emails all exposed. Because it isn’t a social network prone to misinformation campaigns, and not financial data was known to be leaked, this might seem like a lot of work just to get Spotify’s paid premium tier for free. More likely, as CNET points out, the object of the attack was to defraud spotify itself rather than its users. With thousands of accounts at their command, these hackers could engage in a little “streaming manipulation,” juicing the number of times a particular track or artist gets played. (Presumably one could either sell this as a service to actual artists looking for an illegitimate boost, or else create garbage tracks and reap the streaming royalties themselves.)

We’ve reached out to Spotify to see if it will share any details of what the compromised accounts were used for.

After being notified of the breach this past summer, Spotify—which to its credit responded to the same day, according to vpn issued a “rolling reset” of the passwords involved—which realistically, it ought to institute for all users, continually. I mean, good lord, the example vpnMentor cites of one such compromised account used the password “spotify.Now, four months after sending around these resets, the information in these hackers’ database should be effectively useless (on Spotify, anyway.)

Wherever these credentials came from, and however they were being used, it’s a good a time as any to take an hour or two during the long weekend and change your passwords. Turn on multi-factor authentication where it’s available. Don’t recycle them between sites.

Advertisement

It’s important to keep your information secure—something I image the hackers involved in this little ordeal were reminded of when their stolen logins became useless. According to vpnMentor, emphasis theirs:

Our team was able to access this database because it was completely unsecured and unencrypted.

Advertisement

I cover the business of data for Gizmodo. Send your worst tips to swodinsky@gizmodo.com.

DISCUSSION

The fact that Spotify does not have two factor authentication is an issue as well.