Spotify Experienced Credential Stuffing Attack Targeting Thousands of Users
- Hundreds of thousands of Spotify users lost access to their accounts after a wave of credentials stuffing attacks.
- Researchers have spotted a huge database containing Spotify user credentials back in July 2020.
- The streaming platform is not directly responsible for that breach, but it should be offering MFA for user account protection.
A large number of Spotify users have lost access to their accounts as someone took them over and reset their passwords. The hackers also added new playlists on the hijacked profiles and generally proceeded to use them as if they were theirs.
The number of accounts that got breached in this wave of credential stuffing attacks is between 300,000 and 350,000, but the hackers could be holding as many as 380 million user records.
A report from VPNMentor that just came out reveals the existence of a massive 72GB database containing the aforementioned number of records, including email addresses, usernames, and passwords. The database does not originate directly from Spotify but appears to be from a third-party that uses Spotify login credentials.
Thus, credential stuffing actors could use the data leak to target these users and steal their accounts, and Spotify wouldn't know about the risk, as they weren't the ones who suffered the data breach.
That happened back in July 2020, and Spotify supposedly reset the passwords of the users who were affected by this occurrence. Possibly, many of these users picked the same password after the reset, although they shouldn’t be able to do that.
What Spotify didn’t do since then was to add multi-factor authentication, something that would have protected the accounts now. Users have been pleading for it, and weirdly, Spotify has been ignoring the requests.
If you are a Spotify user, especially a “Premium” subscriber, you should at least reset your credentials in the platform and pick a unique and strong password this time. It is possible that the hackers had a large number of credentials still waiting to be used, possibly including yours as well, but Spotify may have stopped them by placing additional checks on the login page.
For now, there’s no official response from the music streaming platform, which only makes the situation worse. Hopefully, Spotify will decide to add MFA steps instead of bypassing what is a pretty standard security policy today. Sure, the platform isn't to blame for the data breach that led to the situation, but they should be offering a higher level of account security nonetheless.