Researchers helped Spotify detect and address a severe credential stuffing operation affecting hundreds of millions of its users.
On July 3, VpnMentor’s research team led by Ran Locar and Noam Rotem discovered a database hosted on an unprotected Elasticsearch server and suspected it to be part of a credential stuffing operation, the origins of which are yet unidentified.
The 72GB database contained more than 380 million Spotify users’ records, including sensitive data like usernames/passwords, email Ids, country of residence, and other PII (personally identifiable information) of Spotify users.
Owned by hackers: Database with 100,000 hacked Facebook accounts leaked
Approx. 300,000-350,000 users could have been impacted by this campaign. However, researchers couldn’t identify how the fraudsters were able to target Spotify’s user data. They noted that the hackers might have used credentials stolen from another platform, such as an app or website for accessing Spotify accounts.
Moreover, researchers identified several server IP addresses to be part of the data leak. However, these addresses mostly belonged to proxy servers of the network operators where the database was hosted.
Researchers claim that the data exposure didn’t stem from Spotify because the database belonged to a third party that either legally or illegally obtained Spotify login credentials and stored them to carry out credential stuffing operation.
Credentials stuffing is a technique in which hackers use weak passwords to launch attacks and target sites. VpnMentor notified Spotify on July 9th, 2020. The company responded quickly and confirmed that the database was indeed being used by an individual or a group of fraudsters to exploit Spotify and its users.
According to VpnMentor’s blog post, Spotify also initiated a “rolling reset of passwords” for all the affected users so that the information on that database becomes useless.
If the database was discovered by a threat actor, they could have easily sold Spotify premium account access or use the data for launching follow-on phishing or identity theft attacks.
Therefore, users must realize the significance of keeping strong and unique passwords for all their accounts. Where possible, it is essential to enable MFA (multi-factor authentication).