Bob Diachenko, a Ukrainian security researcher and an owner of SecurityDiscovery.com, has discovered that Spotify has fallen victim to a credential stuffing attack that used data from more than 100,000 accounts.
“I have uncovered a malicious Spotify logger database, with 100K account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack,” Diachenko tweeted on February 4.
The researcher could not identify where the credentials leaked from.
The Swedish music streaming giant was involved in another incident a few months ago that was due to a security breach. This time, though, used a database of credentials to try to access user accounts.
Credential stuffing attacks are a common tactic used by bad actors attempting to gain access to user accounts. During such an attack, cybercriminals use bots to bombard websites with login attempts using stolen credentials from data breaches that occurred at other sites. Because individuals often re-use credentials in their other online accounts hackers can use usernames and passwords leaked in data beaches elsewhere online to gain access to services they want.
Once Spotify became aware of the recent attack, they issued a password reset to all impacted users, which rendered the public credentials invalid. The Spotify security team also managed to have the fraudulent database taken down by the ISP hosting it.
Unfortunately, re-used credentials are a weak spot of cybersecurity. It doesn’t matter if users choose a strong and complex password, if it leaks, it leaks. After that hackers find accounts with valid logins and bundle them together and then sell on the dark web for a few bucks an account. In countries where Spotify hasn’t launched yet, these stolen accounts can easily find their buyers.
“Someone hacked my Spotify, and I completely lost control of being able to select songs. I kept getting overridden by the hacker picking out Russian music. Removing all devices and changing multiple passwords did nothing to resolve the issue – absolutely nuts and kind of freaky,” tweeted one user.
Even worse may happen. Compromised accounts can be used to build bots that shadow play music over and over to generate illicit income.The best way to avoid this kind of account takeovers is never to reuse passwords. Security experts also advise using a service that monitors users’ digital identity and warns them when their credentials are exposed in a security incident.