Fraud Operation Targets Spotify Users With Leaked Database

Marco Green
Ноября 25, 2020

Spotify has reportedly begun resetting the passwords of up to 350,000 accounts that were breached as the result of a credential-stuffing attack. They noted that the hackers might have used credentials stolen from another platform, such as an app or website for accessing Spotify accounts.

A report from VPNMentor that just came out reveals the existence of a massive 72GB database containing the aforementioned number of records, including email addresses, usernames, and passwords.

On July 3, VpnMentor's research team led by Ran Locar and Noam Rotem discovered a database hosted on an unprotected Elasticsearch server and suspected it to be part of a credential stuffing operation, the origins of which are yet unidentified.

With an attack by hackers, the login information of more than 300 thousand Spotify accounts was seized. And the database that has been found belonged to a 3rd party that was using it to store Spotify login credentials.

VPNMentor investigated these happening and said in response that leaking of information of Spotify accounts is not a breach on side of Spotify. What they want is to keep the command of Spotify accounts.

"Hackers can profit enormously from credentials present in large database leaks such as these", Ameet Naik, security evangelist at application protection firm PerimeterX Inc. "Businesses need to protect their login pages from ATO attacks using bot management solutions", he said. "Users must use strong, unique passwords on each service and use multi-factor authentication where possible".

Javvad Malik, security awareness advocate and security awareness training company KnowBe4 Inc. So, when you find these options available turn multiple verifications on if you want to remain secure but, remember not to try to reuse them among different websites.

For years, users have complained that their Spotify accounts were hacked after passwords were changed, new playlists would appear in their profiles, or their family accounts had strangers added from other countries.

This is based on the hope that the victim should be using common login credentials for his other online accounts.

Other reports by

Discuss This Article