It was recently revealed that Spotify has suffered its second credential stuffing attack in three months. It is estimated that almost a hundred thousand accounts can face a takeover.
What is Credential Stuffing?
A script is written by cybercriminals that is capable of checking stolen IDs and passwords one by one. These credentials can be taken from another website’s database or there are some databases available online for purchase.
The attackers try these credentials until one works and benefit from the people who have the same password on several websites.
What happened to Spotify?
In November 2020, over 380 million Spotify user records were exposed on an unprotected Elasticsearch database. The unknown attackers used the same credential stuffing method to create the database. This caused Spotify to prompt all the users to change their passwords.
However, on February 4th, 2021, Bob Diachenko, a cybersecurity researcher uncovered a Spotify logger database that was extracted by using yet another credential stuffing attack. The owner of the database is still unknown.
In his tweet, the researcher addressed the issue and revealed that:
“I have uncovered a malicious Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential stuffing attack.”
He included a statement from Spotify regarding this incident in which the company confirmed that there has been an attack. The main point of the statement was:
“We recently protected some of our users against such an attack.” […] “Once became aware of the situation, we issued password resets to all impacted users, which rendered the public credentials invalid.”
After that, the company assured Diachenko that the credential data available online was taken down. The full statement can be read from the image below:
Diachenko believes that there is a possibility that a rival group is involved in this attack.
How to be Safe?
If you are on Spotify, we suggest changing your password immediately. More importantly, if the same password is being used for other accounts, those passwords must be changed as well. This is significant considering that the same combination can be used to infiltrate those accounts that contain more important data than songs.
The best defense from credential stuffing is to not use the same password for multiple accounts. Along with this, using Multi-Factor authentication is also very beneficial against credential stuffing attack.