credential stuffing op on spotify

Spotify Users Taken for a Song by Credential Stuffing Op

If you’re a Spotify user and have experienced some disruption with your account access, you may have been taken for a song by credential stuffing op that was recently in full swing.

Not too long ago, a research team stumbled across an open Elasticsearch database jam-packed with more than 72GB of data containing over 380 million records of individuals’ sensitive information. The login information and user data found on this particular database was actively being verified on Spotify when it was found. The reality of the situation is that an unscrupulous hacker was using the database to store Spotify login in credentials that were obtained illegally from other sources through a hacking process known as “credential stuffing”.

using the same password can lead to credential stuffing

At this point, the question begs to be asked; what on earth is “credential stuffing”?

Credential stuffing is a cyberattack used to steal the user names, emails and passwords of user accounts through large-scale automated login requests. This type of attack is aimed at people who use the same password for multiple services and accounts.

Typically, the hacker will obtain the ID and password from one source. In most instances, it is from a data breach on a company website. The hacker then uses that user name and password to gain access to other accounts used by the individual by using automated scripts. One big brand that has fallen victim to such a hacking attack is North Face.

spotify’s action against the credential stuffing attack

When the research team who found the database with stored credentials on it approached Spotify, it was discovered that the database belonged to a group or individual who was using it to defraud Spotify.

The company had to act quickly to protect its users and render the stored information on the illegal database useless and so they rolled out a company-wide (and user-wide) password reset. Up to as many as 350 000 users of Spotify were impacted by the attack which is considered a minor impact when you take into account that nearly 300 million users make use of the service on a monthly basis.

what is the real risk to you?

If you are thinking that a credential stuffing attack doesn’t really affect you, think again. You might not be a Spotify user, but perhaps you use a variety of other online services. Are your user names and passwords unique for each of those accounts? If not, you are at risk.

Statistics show us that credential stuffing used in conjunction with automated attacks (referred to as account takeover attacks) have increased by a massive 72% in the last 12 months alone. Why? Because it works for the hacker and because many people don’t take the risk and warning seriously until it directly impacts them. Don’t wait to become a victim! Take action now.

what to do

The first step is to make a list of all of your online accounts and services along with their user names and passwords. If any of them are using the same combinations of user names and passwords, change them! You must use a strong and unique password on each and every one of your online services and accounts.

Activating multi-factor authentication is also a really good step in the right direction.

last word

If you are a Spotify user, it’s a good safety precaution to change your password as soon as possible. Also, spend some time reviewing your current passwords and commit to changing them regularly.

Have you been impacted by a credential stuffing attack before? Let’s us know – we would love to hear about your personal experiences!