At the beginning of July this year, security researchers discovered an unsecured database that contained access and other information from 350,000 Spotify users. Spotify reacted promptly to the leak and made a forced password change for all users.
Detailed today by researchers Noam Rotem and Ran Locar at vpnMentor, the 72-gigabyte database of 380 million records relating to an estimated 300,000 to 350,000 Spotify users was found on an unsecured Elasticsearch installation.
It is true that the risk of access was averted in a timely manner. In view of the details that have now been published in an entry however, further precautionary measures appear advisable. At the same time, the incident basically shows that using one and the same password is a bad idea. But it’s probably just account data that was stolen from various attacks. The usernames were then used to attack Spotify users. Since many users use their passwords a few times, around 350,000 accounts were compromised in this way. Spotify reacted quickly and sent the users a reset request. Affected users should always follow this request by the program as quickly as possible. Hacks like these are commonplace in many providers.
Password Leak At Spotify
The researchers emphasize that the information discovered were not a leak caused by Spotify. Rather, the information probably came from one or more other unknown attacks and was presumably tried out at Spotify in the course of identity attacks.
The result was a database made up of Spotify accounts, as the researchers said they were able to validate. In addition to mail, user names and the database, the leak also included information on the users residence. The entry does not provide data on whether the it was actually used to access personal Spotify accounts. It is also unclear whether other cyber attackers could have tapped the network or how long it was accessible.
Never Use Passwords More Than Once
At Spotify, identity stuffing is further enhanced that an email or a username can be entered when registering. If you were asked to change your login by Spotify, you should now ensure that you also change passwords that have been used repeatedly.